On Thursday 21 November 2013 15:59:53 Tomáš Chvátal wrote:
[snip]
So first of all I appreciate your goal to automate bug checks. I can only imagine that Ludwigs idea was to avoid any hints to embargoed fixes (for not yet disclosed security issues). That actually makes sense to me and I have to admit that I uploaded such a fix to the OBS once myself (and yes, I discovered it and our awesome admins killed it). So it could make sense to disallow uploading embargoed fixes to public projects in OBS. But this would have to happen at checkin time. Another class of non-public bugs are legal issues. For those, I have to regularly call Ciarran myself. Most of the time, there's no need to keep them private and our legal team opens them up. But some have to stay private for a longer period (CC'ing Ciarran therefore). Closely related, you could definitely check for CVE numbers. But those are more relevant for maintenance updates rather than Factory submissions.
From a Factory reviewers perspective, we also look if the mentioned bug is actually matching the patch (happens more often than you think) or if the upstream-proposed patch is the same that the packager submits. We also have contributors that haven't yet heard of [0] and provide funky spellings like "bugzilla#123", "bnc 123", "bug 123", "#123", "bnc #123". I would love to see those auto-declined :-)
[0] http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines#Current_set_of_... -- With kind regards, Sascha Peilicke SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 16746 (AG Nürnberg)