Bug report with private info
moshe nahmias
moshegrey at gmail.com
Sat Aug 17 08:14:08 UTC 2013
Isn't it possible to list all the fields of the sensitive data?
That way it will be easier for the user to see which data is compromised
and at the very least the user won't have to go through all the data
transmitted just to see that the user name is the only sensitive info
that's sent.
It is easier that way to find if the password is there too for example,
it's harder to find the needle in the haystack if the data is not organized.
Moshe
On Fri, Aug 16, 2013 at 10:43 PM, Adam Williamson <awilliam at redhat.com>wrote:
> On Thu, 2013-08-15 at 12:09 +0100, Pedro Francisco wrote:
> > On Mon, Aug 12, 2013 at 2:39 PM, Adam Williamson <awilliam at redhat.com>
> wrote:
> > > On Mon, 2013-08-12 at 13:03 +0100, Pedro Francisco wrote:
> > >> Hello!
> > >> I found a bug report with possible private info on it.
> > >>
> > >> What should I do?
> > >>
> > >> 1- Contact bugzilla admin to remove the attachment?
> > >> 2- Contact the owner of the bug and warn him of it?
> > >> 3- Both?
> > >
> > > Not quite sure what you mean by 'private info', but definitely do
> > > something - you mean it exposes the user's secrets? Definitely do #2
> and
> > > if it's really urgent do #1 at the same time. Anyone with editbugs
> > > privileges can mark a comment as private which at least limits the
> > > number of people who could see the secret data, so you can contact
> > > anyone you trust who's a package maintainer or has editbugs privs
> > > through the old triage group or something (including me, and many
> others
> > > on this list) and ask if they can mark the attachment as private, too.
> >
> >
> > Now that the issue is taken care of, should a bug be open to prevent
> > something like this to happen again? I know ABRT has a notice saying
> > 'possible private info detected, please review', but usually it's just
> > the username...
>
> Perhaps abrt could warn harder if the detected field is something that
> may be a password rather than a username. Like you I've gotten rather
> blase about that warning since it started showing up for usernames;
> classic example of the 'false positive' problem for security
> mechanisms...
> --
> Adam Williamson
> Fedora QA Community Monkey
> IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
> http://www.happyassassin.net
>
> --
> test mailing list
> test at lists.fedoraproject.org
> To unsubscribe:
> https://admin.fedoraproject.org/mailman/listinfo/test
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/test/attachments/20130817/c74945b0/attachment.html>
More information about the test
mailing list