Re: Should bugz.fp.o give links to security/private bugs?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 16, 2011 at 09:14:19AM -0800, Jesse Keating wrote:
> On 2/15/11 4:29 PM, Toshio Kuratomi wrote:
> > https://fedorahosted.org/fesco/ticket/561
> >
> > Recently, it was brought up to me that bugz.fp.o was showing summaries of
> > bugs that are marked private. This was probably revealing too much
> > information as summaries could contain harmful clues about security issues.
> > My quick fix was to not list those bugs at all. However, I wanted to restore
> > the bug #'s themselves to the list (with a hidden summary). This brings up
> > a question of how much security is warranted:
> >
> > On the one hand, it could be argued that even seeing that there's a new
> > private (and therefore likely security) bug against a package may be giving
> > away too much information. "Oh, so bind has a new private bug in Fedora's
> > bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit
> > code before that gets fixed."
> >
> > The opposite side is that maintainers have come to use bugz.fp.o as a way to
> > quickly find and see what bugs exist in their packages. A maintainer that
> > depends on that could be unpleasantly surprised by the lack of private bugs
> > -- for instance, forgetting about a security bug because it's not listed on
> > bugz.fp.o or someone reviving an orphaned package unaware that it has
> > unresolved security bugs.
> >
> >
> > I'm posting here to get feedback on whether other maintainers use bugz.fp.o
> > like this and see this as a problem.  If so, I'll have FESCo decide whether
> > security or convenience/confusion is more important in this case.
> >
> > -Toshio
> >
> 
> I think either way would be fine, but what I'd also like to see is a 
> link for the query that one can click on and run within bugzilla using 
> their own bugzilla credentials.  That way they can get the full view of 
> potentially private items as well.
>
I'll look into this as well.  Since I'm using xmlrpc to make the query now,
it would help greatly if someone who knows bugzilla better can give me a URL
to template for this -- although I imagine it'll be some variant of the
standard search page so it shouldn't be too hard.

-Toshio

Attachment: pgpgF8mXLdvIU.pgp
Description: PGP signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux