https://fedorahosted.org/fesco/ticket/561 Recently, it was brought up to me that bugz.fp.o was showing summaries of bugs that are marked private. This was probably revealing too much information as summaries could contain harmful clues about security issues. My quick fix was to not list those bugs at all. However, I wanted to restore the bug #'s themselves to the list (with a hidden summary). This brings up a question of how much security is warranted: On the one hand, it could be argued that even seeing that there's a new private (and therefore likely security) bug against a package may be giving away too much information. "Oh, so bind has a new private bug in Fedora's bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit code before that gets fixed." The opposite side is that maintainers have come to use bugz.fp.o as a way to quickly find and see what bugs exist in their packages. A maintainer that depends on that could be unpleasantly surprised by the lack of private bugs -- for instance, forgetting about a security bug because it's not listed on bugz.fp.o or someone reviving an orphaned package unaware that it has unresolved security bugs. I'm posting here to get feedback on whether other maintainers use bugz.fp.o like this and see this as a problem. If so, I'll have FESCo decide whether security or convenience/confusion is more important in this case. -Toshio
Attachment:
pgpGyoPT33jfl.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
