On Thu, 2013-08-15 at 12:09 +0100, Pedro Francisco wrote: > On Mon, Aug 12, 2013 at 2:39 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: > > On Mon, 2013-08-12 at 13:03 +0100, Pedro Francisco wrote: > >> Hello! > >> I found a bug report with possible private info on it. > >> > >> What should I do? > >> > >> 1- Contact bugzilla admin to remove the attachment? > >> 2- Contact the owner of the bug and warn him of it? > >> 3- Both? > > > > Not quite sure what you mean by 'private info', but definitely do > > something - you mean it exposes the user's secrets? Definitely do #2 and > > if it's really urgent do #1 at the same time. Anyone with editbugs > > privileges can mark a comment as private which at least limits the > > number of people who could see the secret data, so you can contact > > anyone you trust who's a package maintainer or has editbugs privs > > through the old triage group or something (including me, and many others > > on this list) and ask if they can mark the attachment as private, too. > > > Now that the issue is taken care of, should a bug be open to prevent > something like this to happen again? I know ABRT has a notice saying > 'possible private info detected, please review', but usually it's just > the username... Perhaps abrt could warn harder if the detected field is something that may be a password rather than a username. Like you I've gotten rather blase about that warning since it started showing up for usernames; classic example of the 'false positive' problem for security mechanisms... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
