Skip to content

docs(vulnogram): oss-security is sent automatically by the OSS/ASF Emails tab#773

Merged
potiuk merged 2 commits into
apache:mainfrom
potiuk:fix-oss-security-auto-send
Jul 7, 2026
Merged

docs(vulnogram): oss-security is sent automatically by the OSS/ASF Emails tab#773
potiuk merged 2 commits into
apache:mainfrom
potiuk:fix-oss-security-auto-send

Conversation

@potiuk

@potiuk potiuk commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

Follow-up fix to #749. That PR added a step telling the release manager to manually send a copy to oss-security@lists.openwall.com after clicking Send these Emails. That is incorrect.

Vulnogram's advisory tab is the "OSS/ASF Emails" tab (named as such in #570). Its Send these Emails button dispatches the advisory to oss-security (the "OSS") and the ASF lists (the "ASF") in a single action. So the manual instruction added by #749 implied a double-send and misrepresented the flow.

Reported by the Airflow security team during a CVE sync run.

What changed

Keep oss-security@lists.openwall.com documented as a required recipient (so #176's intent is still satisfied), but describe it correctly as part of the automatic OSS/ASF send — no separate manual step. Three spots updated:

  • tools/cve-tool-vulnogram/release-manager-handoff-comment.md
  • tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md
  • tools/cve-tool-vulnogram/record.md (step 5)

Type of change

  • Tool / bridge contract (tools/<system>/*.md)

Test plan

  • prek run markdownlint typos trailing-whitespace passes

Linked issues

Re #749, #176

Tester added 2 commits July 7, 2026 12:51
…wn PRs

The mention guard enforced author-only notification for every guarded
comment, which also blocked the legitimate case of the operator nudging
their own reviewers on their own PR. Exempt that case: when the target's
author is the authenticated `gh` user, allow the mention. Operator
resolution failing falls through to the existing author-only rule
(fail-safe). The `MAGPIE_ALLOW_MENTIONS=1` override for any other
deliberate exception is unchanged.

Adds own-PR test coverage (allow, case-insensitive, and others'-PR still
denied when the operator resolves), makes the existing fold-edit test
hermetic (it previously relied on a real `gh pr view` failing), and
updates the agent-guard README table and Golden rule 12.

Generated-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ails tab

PR apache#749 added a step telling the release manager to "manually send a
copy to oss-security@lists.openwall.com" after clicking Send these
Emails. That is incorrect: Vulnogram's advisory tab is the "OSS/ASF
Emails" tab (named in apache#570), and its Send these Emails button dispatches
to oss-security (OSS) and the ASF lists (ASF) in a single action. The
manual instruction implied a double-send.

Keep oss-security documented as a required recipient (satisfies apache#176)
but describe it correctly as part of the automatic OSS/ASF send, with no
separate manual step. Updates all three spots: both RM handoff-comment
templates and record.md step 5.
@potiuk potiuk merged commit 46d1c33 into apache:main Jul 7, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant