Greatings security team,
One of the pages in the Fedora PackageDB displays all the bugs that a Fedora
package contains. Until Saturday, last week the displayed information
contained the id and summary of private bugs. Someone reported this as
a security issue and I modified the list to only show public bugs. However,
this is less than ideal from a developer perspective as maintainers use the
list to keep track of what bugs are opened against their packages (or
packages that they're thinking of taking on). I'm thinking of changing this
to display the bug ids, a link, and a summary of "Private Bug" instead.
This will let leak the fact that a private bug exists against the package
and also the relative newness of the bug (via the size of the bug id) but no
FESCo discussed this and thought it sounded fine but wanted me to run the
idea past the security team in case there were arguments against this that
they hadn't considered. The FESCo ticket is at:
The meeting logs have their reasoning:
Search for #topic #561
If you have feedback, it's probably best to add it to the fesco ticket as
I don't know how many fesco members are subscribed here.
Debian maintain a list of CPE inormation for packages on their security
The CPE information is not complete and does not contain version
information. This makes it relatively static except when packages are added
or removed from the repository. It can be useful to maintain this limited
CPE information for searching purposes.
In the past I generated an automatic mapping between packages in Debian and
>From combining the Debian CPE list and my package mappings, I can generate a
CPE list for Fedora. The list would not cover all of Fedora's packages and I
could not guarantee 100% accuracy, however such a list may be useful.
I can create this list if the security team or developers are interested and
perhaps it could be put on the Fedora wiki.
Apologies if this has already ben answered. I have asked Fedora in several
forums if similar information (such as package mappings) would be useful,
and the general consensus thus far has been that it is not needed. However,
while package mappings might not be useful to Fedora, perhaps a partial CPE
list could be.
CC me on responses.