Should bugz.fp.o give links to security/private bugs?
jkeating at redhat.com
Wed Feb 16 17:14:19 UTC 2011
On 2/15/11 4:29 PM, Toshio Kuratomi wrote:
> Recently, it was brought up to me that bugz.fp.o was showing summaries of
> bugs that are marked private. This was probably revealing too much
> information as summaries could contain harmful clues about security issues.
> My quick fix was to not list those bugs at all. However, I wanted to restore
> the bug #'s themselves to the list (with a hidden summary). This brings up
> a question of how much security is warranted:
> On the one hand, it could be argued that even seeing that there's a new
> private (and therefore likely security) bug against a package may be giving
> away too much information. "Oh, so bind has a new private bug in Fedora's
> bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit
> code before that gets fixed."
> The opposite side is that maintainers have come to use bugz.fp.o as a way to
> quickly find and see what bugs exist in their packages. A maintainer that
> depends on that could be unpleasantly surprised by the lack of private bugs
> -- for instance, forgetting about a security bug because it's not listed on
> bugz.fp.o or someone reviving an orphaned package unaware that it has
> unresolved security bugs.
> I'm posting here to get feedback on whether other maintainers use bugz.fp.o
> like this and see this as a problem. If so, I'll have FESCo decide whether
> security or convenience/confusion is more important in this case.
I think either way would be fine, but what I'd also like to see is a
link for the query that one can click on and run within bugzilla using
their own bugzilla credentials. That way they can get the full view of
potentially private items as well. If you go on the side of not showing
all bugs (if you can detect that there are some private ones), perhaps
show a admonition somewhere that not all bugs are shown, please log into
bugzilla for the full view, otherwise don't show the admonition.
Fedora -- Freedom² is a feature!
More information about the devel