The "Firefox Build System" product was created in bug 1406536, and a new pair of security groups were created for it: firefox-build-security and firefox-build-security-team. Bug 1406536, however, asked for the existing security groups to be ported over and no one was ever added to either of the two security groups. Security bugs in that product risk dropping into a black hole, especially since the bug group doesn't contain "core-security" which is used for normal client security bug triage. I propose removing the two empty groups and using the existing "firefox-core-security" as the default for this product.

I think this is Kim's team's wheelhouse. Kim: Sound okay?

+1 on Kim's call on this.

I could live with a new group if there's actually a list of people who are in that group and can see those bugs -- otherwise it's useless and we're losing bugs. If a separate bug group is required then I'd prefer one that matched the *-core-security naming of the other Firefox security groups so that our existing shared triage queries and reports will find those bugs. For example, build-core-security

We rarely get security related build system bugs. At least the kind of security bugs that need hidden from the public. And the Firefox Build System Bugzilla product isn't triaged the same way other products are. My inclination is for real build system security bugs to piggyback off existing security processes/groups rather than have a one-off security group for the build system. But I concede I don't know much about how this aspect of the world works and I could be off base.

Dan: Unless you hear differently from Kim, I have no problem with you doing what you suggested in comment #0 Thanks for bringing this to our attention!

+1 please make the change

I am making these changes.

I have: * added firefox-core-security as a group option for bugs to the Firefox Build System product * moved the one bug which was in the firefox-build-security group to the firefox-core-security group (bug 1476098) * removed firefox-build-security from the group options for bugs in the Firefox Build System product * disabled firefox-build-security from being associated with bugs * removed firefox-build-security from the automatic grants for members of firefox-build-security-team * removed the phab-bugs bot from direct membership in the firefox-build-security group Can the firefox-build-security and firefox-build-security-team groups be removed? Or do they need to stay around to keep bug history intact?

(In reply to Gregory Szorc [:gps] from comment #4) > We rarely get security related build system bugs. At least the kind of > security bugs that need hidden from the public. That would have been my assumption as well--about actual "build system" issues. Most of the bugs in that product that are in a security group right now are "Source Code Analysis" bugs moved from elsewhere and are in the security group related to the part of Firefox code being analyzed.

Those groups can be removed. It's difficult to have a guideline for when a group is safe to remove, but in general the -security ones if they're not used are probably good. Always best to file a bug and discuss with stakeholders. Thanks!