Suggest increasing the severity when duplicate bugs have higher severity

36 views
Skip to first unread message

Suhaib Mujahid

unread,
Oct 26, 2022, 3:33:09 PM10/26/22
to dev-pl...@mozilla.org, Marco Castelluccio

Hello,


When a bug is closed as a duplicate of another bug, the duplicate bug could be showing a different view/effect of the same defect. Thus, their severity could be different. For example, it was not clear that bug 1738056 affected accessibility, thus, it was triaged as S4; whereas, the accessibility problem was clear in its duplicate (bug 1735712), which was triaged as S2. However, closing the bug as a duplicate concealed important information. To avoid underestimating the severity in such cases, we implemented a new feature for autonag to highlight cases where duplicate bugs have higher severity than original bugs.


To avoid unnecessary noise, we applied some measures (we are welcoming any suggestion for additional measures):

  • Ignore cases where severity was downgraded after the duplicate bugs were linked.

  • Manually cleaned up duplicate bugs where severity was set by an external reporter.

  • Manually cleaned up cases where the bot had already asked to increase the severity for other reasons.


We plan to enable the feature on Monday, October 31st, 2022. You could peek at examples of affected bugs by checking the dry-run results.


Your feedback is genuinely appreciated.


Thank you,

Suhaib, on behalf of the CI and Quality Tools team.

Daniel Veditz

unread,
Oct 30, 2022, 7:30:28 PM10/30/22
to Suhaib Mujahid, dev-pl...@mozilla.org, Marco Castelluccio
On Wed, Oct 26, 2022 at 12:33 PM Suhaib Mujahid <smuj...@mozilla.com> wrote:
When a bug is closed as a duplicate of another bug, the duplicate bug could be showing a different view/effect of the same defect. Thus, their severity could be different.

As a special case of this, security bugs should NOT be marked as a duplicate of a non-security bug. In most cases the security bug should be left open and made to "depend on" the non-security bug. Please leave a note in the whiteboard of the security bug along the lines of "will be fixed by XXX", and mark the security bug "FIXED" when it's blocking bug is. The separate security bug is a trigger that reminds us to:
  • verify the security issue is really fixed
  • write advisories when the time comes
  • track bug bounties when applicable
-Dan Veditz
Reply all
Reply to author
Forward
0 new messages