On Wed, Feb 16, 2011 at 09:14:19AM -0800, Jesse Keating wrote: > On 2/15/11 4:29 PM, Toshio Kuratomi wrote: > > https://fedorahosted.org/fesco/ticket/561 > > > > Recently, it was brought up to me that bugz.fp.o was showing summaries of > > bugs that are marked private. This was probably revealing too much > > information as summaries could contain harmful clues about security issues. > > My quick fix was to not list those bugs at all. However, I wanted to restore > > the bug #'s themselves to the list (with a hidden summary). This brings up > > a question of how much security is warranted: > > > > On the one hand, it could be argued that even seeing that there's a new > > private (and therefore likely security) bug against a package may be giving > > away too much information. "Oh, so bind has a new private bug in Fedora's > > bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit > > code before that gets fixed." > > > > The opposite side is that maintainers have come to use bugz.fp.o as a way to > > quickly find and see what bugs exist in their packages. A maintainer that > > depends on that could be unpleasantly surprised by the lack of private bugs > > -- for instance, forgetting about a security bug because it's not listed on > > bugz.fp.o or someone reviving an orphaned package unaware that it has > > unresolved security bugs. > > > > > > I'm posting here to get feedback on whether other maintainers use bugz.fp.o > > like this and see this as a problem. If so, I'll have FESCo decide whether > > security or convenience/confusion is more important in this case. > > > > -Toshio > > > > I think either way would be fine, but what I'd also like to see is a > link for the query that one can click on and run within bugzilla using > their own bugzilla credentials. That way they can get the full view of > potentially private items as well. > I'll look into this as well. Since I'm using xmlrpc to make the query now, it would help greatly if someone who knows bugzilla better can give me a URL to template for this -- although I imagine it'll be some variant of the standard search page so it shouldn't be too hard. -Toshio
Attachment:
pgpgF8mXLdvIU.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
