Should bugz.fp.o give links to security/private bugs?
a.badger at gmail.com
Wed Feb 16 00:29:42 UTC 2011
Recently, it was brought up to me that bugz.fp.o was showing summaries of
bugs that are marked private. This was probably revealing too much
information as summaries could contain harmful clues about security issues.
My quick fix was to not list those bugs at all. However, I wanted to restore
the bug #'s themselves to the list (with a hidden summary). This brings up
a question of how much security is warranted:
On the one hand, it could be argued that even seeing that there's a new
private (and therefore likely security) bug against a package may be giving
away too much information. "Oh, so bind has a new private bug in Fedora's
bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit
code before that gets fixed."
The opposite side is that maintainers have come to use bugz.fp.o as a way to
quickly find and see what bugs exist in their packages. A maintainer that
depends on that could be unpleasantly surprised by the lack of private bugs
-- for instance, forgetting about a security bug because it's not listed on
bugz.fp.o or someone reviving an orphaned package unaware that it has
unresolved security bugs.
I'm posting here to get feedback on whether other maintainers use bugz.fp.o
like this and see this as a problem. If so, I'll have FESCo decide whether
security or convenience/confusion is more important in this case.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110215/2473542c/attachment.bin
More information about the devel