CC'ing external lists/bugs (Re: [oss-security] Bug#771125: Info received ([oss-security] CVE request: mutt: heap-based buffer overflow in mutt_substrdup()))

[Solar Designer <solar () openwall com>]

On Thu, Nov 27, 2014 at 04:15:10AM +0000, Debian Bug Tracking System wrote:
> Thank you for the additional information you have supplied regarding
> this Bug report.
[...]
> Please do not send mail to owner () bugs debian org unless you wish
> to report a problem with the Bug-tracking system.

We have this problem when someone CC's a Debian bug on oss-security
postings.  (But somehow not all the time?  Perhaps the Debian bug
tracker has some rules for when not to notify of "the additional
information"?  Or was Reply-To or whatever set differently this time?)

Neither approving nor rejecting these messages feels right.  Rejecting
currently means a message would be sent to owner () bugs debian org, and
also the thread might be broken in mailing list archives.  Doing nothing
means that a message to that extent would be sent a few days later.
I can SSH in to the server and manually remove the message from the
moderation queue to avoid that, but this also feels weird.  Well, or I
can update the spam filter to catch and drop these before they get to
the mailing list manager (and hence before moderation) - maybe I should.

Besides, any CC's to other lists tend to result in some "noise" being
sent to oss-security (some messages that would be appropriate for the
other instance of the thread, but not so much for oss-security).

So I am posting this for three reasons:

1. To ask that we please cut down on use of CC's to external lists.

2. To point out and ask about the issue with Debian bugs specifically -
how do we handle it best going forward?  Any suggestions?

3. To explain why this undesirable message appeared in here.

Alexander