On Fri, 2016-10-21 at 20:25 +0200, Florian Weimer wrote: > Why does Bugzilla allow filing private Fedora bugs? > > I'm not sure who has the capability (it may be tied to specific > accounts). It is not all that helpful because accounts on the Cc: list > still receive notifications and can access the bug. Recipients of the > notifications may include public mailing lists. This is probably not > what people make bugs private expect. > > The other problem is that I keep having to ask people filing private > bugs if it is okay with them to make them public, and then to open the > bugs again if they accidentally turn it private afterwards. > > Surely it's best to remove this capability from Bugzilla? One major reason is for abrt reports; the data abrt submits can include sensitive stuff. abrt actually tries to detect if there is any possibly-sensitive information in any of the stuff it uploads and makes the bug private by default if so. This mechanism tends to be overly sensitive, and is probably the #1 source of private Fedora bugs. But it *is* a genuine case: we actually discovered a couple of cases back in 2013-4 of abrt-filed bugs containing users' passwords. Making those private isn't a perfect fix - as you say, there's still a lot of people who can access them - but it at least stops absolutely anyone from being able to scrape them out of bugzilla (and all the search engine bots and so on). -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
