Automatic notifications based on issue parameters #171

New issue

Open

opened 2024-09-20 10:30:41 +00:00 by RaitoBezarius · 0 comments

RaitoBezarius commented

2024-09-20 10:30:41 +00:00

(Migrated from github.com)

As a maintainer of a Nixpkgs derivation, I want to get notified with a healthy dose of reminders about that derivation -- not too often, not too rarely.

Implementation notes

Every day, we should determine to whom we should hand out notifications automatically.

Here are the dimensions for a given issue:

last time a notification was sent to that maintainer
last time since the status changed ("age")
severity of the issue (RCE, LPE, etc. vs. RegexDoS)
attack vectors: can receive untrusted attack inputs from trusted network, untrusted network, internet, etc.
which channels are affected: stable, unstable, EOL channels
whether the maintainer has declared himself to be away or not

The heuristic should answer to:

"Should I send a notification today to remind of this current status?"

First implementation can be:

F = \alpha_1 \times \frac{1}{T_{\text{last\_notified}}} + \alpha_2 \times \frac{1}{T_{\text{age}}} + \alpha_3 \times S_{\text{severity}} + \alpha_4 \times V_{\text{attack\_vector}} + \alpha_5 \times C_{\text{channel\_affected}} - \beta \times M_{\text{away}}

Let T_{\text{last notified}} represent the number of days since the last notification was sent to the maintainer. T_{\text{age}} represents the number of days since the status of the issue last changed. S_{\text{severity}} refers to the severity score of the issue, where higher values represent more critical issues (e.g., RCE = 10, RegexDoS = 3). V_{\text{attack vector}} is the score of the attack vector, with higher values for more dangerous attack surfaces (e.g., Internet = 10, Trusted Network = 3). C_{\text{channel affected}} represents the score of the affected channel, where stable and EOL channels have higher scores than unstable ones (e.g., Stable = 10, Unstable = 5). M_{\text{away}} is a binary variable representing whether the maintainer has declared themselves to be away, where M_{\text{away}} = 1 means they are unavailable, and M_{\text{away}} = 0 means they are available. Finally, \alpha_1, \alpha_2, \alpha_3, \alpha_4, \alpha_5 are weights assigned to the respective factors, and \beta is a penalty factor for the maintainer's unavailability. The threshold W is a predefined value above which a notification will be sent.

Depends on:

#174

As a maintainer of a Nixpkgs derivation, I want to get notified with a healthy dose of reminders about that derivation -- not too often, not too rarely. ## Implementation notes Every day, we should determine to whom we should hand out notifications automatically. Here are the dimensions for a given issue: - last time a notification was sent to that maintainer - last time since the status changed ("age") - severity of the issue (RCE, LPE, etc. vs. RegexDoS) - attack vectors: can receive untrusted attack inputs from trusted network, untrusted network, internet, etc. - which channels are affected: stable, unstable, EOL channels - whether the maintainer has declared himself to be away or not The heuristic should answer to: - "Should I send a notification today to remind of this current status?" First implementation can be: ```math F = \alpha_1 \times \frac{1}{T_{\text{last\_notified}}} + \alpha_2 \times \frac{1}{T_{\text{age}}} + \alpha_3 \times S_{\text{severity}} + \alpha_4 \times V_{\text{attack\_vector}} + \alpha_5 \times C_{\text{channel\_affected}} - \beta \times M_{\text{away}} ``` Let $T_{\text{last notified}}$ represent the number of days since the last notification was sent to the maintainer. $T_{\text{age}}$ represents the number of days since the status of the issue last changed. $S_{\text{severity}}$ refers to the severity score of the issue, where higher values represent more critical issues (e.g., RCE = 10, RegexDoS = 3). $V_{\text{attack vector}}$ is the score of the attack vector, with higher values for more dangerous attack surfaces (e.g., Internet = 10, Trusted Network = 3). $C_{\text{channel affected}}$ represents the score of the affected channel, where stable and EOL channels have higher scores than unstable ones (e.g., Stable = 10, Unstable = 5). $M_{\text{away}}$ is a binary variable representing whether the maintainer has declared themselves to be away, where $M_{\text{away}} = 1$ means they are unavailable, and $M_{\text{away}} = 0$ means they are available. Finally, $\alpha_1, \alpha_2, \alpha_3, \alpha_4, \alpha_5$ are weights assigned to the respective factors, and $\beta$ is a penalty factor for the maintainer's unavailability. The threshold $W$ is a predefined value above which a notification will be sent. Depends on: - #174