"Ebuild maintainance" seems an odd place for this, when the word "ebuild" doesn't even occur in the whole chapter.

I was thinking of it in terms of "one's duties when maintaining a package/ebuild". I could use the term ebuild in a few places but I don't want to jam it in either. Let me review and see..

But I do not object to "General concepts", just explaining why I chose this.

I could use the term ebuild in a few places but I don't want to jam it in either.

No, I'm not at all asking for this. 😄 That the term "ebuild" is missing in the present version was an indication for me that there might be a better place for the page.

Please explain (or link to) the format of the bug title so that you don't have to correct me every time 🙏

Please explain (or link to) the format of the bug title so that you don't have to correct me every time 🙏

That's partly what inspired it but it's long overdue :)

I've currently got this in there:

+<p>
+For such bug reports, the bug summary should reflect the first fixed
+version in the Gentoo repository, not the first fixed version released
+by upstream. This means unpackaged versions should not be in the title.
+</p>

I can tweak that if you want, maybe with an example but dunno if that's too verbose or not. If it would be helpful I can add it.

+<p>
+For such bug reports, the bug summary should reflect the first fixed
+version in the Gentoo repository, not the first fixed version released
+by upstream. This means unpackaged versions should not be in the title.
+</p>

I can tweak that if you want, maybe with an example but dunno if that's too verbose or not. If it would be helpful I can add it.

What if there is no fixed version in ::gentoo, or at all?

Unversioned, so "app-misc/foo: use-after-free".

How about:

Security issues for packages with no fixed ebuilds available should have an unversioned title. For example, a use-after-free which is fixed upstream in a new yet-unpackaged release of app-misc/foo would have a title: "app-misc/foo: use-after-free".

Feels a bit wordy so suggestions welcome..

I'm half-asleep so this will be no good, but it feels like the whole thing can be covered by two cases (and a brief note that the usual convention is not followed)?

In other contexts the affected package name and version would be included in the summary of a bug, but please be aware that these security bugs do not follow that convention. For security bugs: if a fixed version is already available in the Gentoo repository, include that fixed version number in the bug summary; otherwise, do not include any version numbers at all.

I slept on it a while and decided I like it with no adjustments, pushed as 3711d79. Thank you!