Should bugz.fp.o give links to security/private bugs?

Toshio Kuratomi a.badger at gmail.com
Sat Feb 19 18:34:20 UTC 2011 

On Wed, Feb 16, 2011 at 09:14:19AM -0800, Jesse Keating wrote:
> On 2/15/11 4:29 PM, Toshio Kuratomi wrote:
> > https://fedorahosted.org/fesco/ticket/561
> >
> > Recently, it was brought up to me that bugz.fp.o was showing summaries of
> > bugs that are marked private. This was probably revealing too much
> > information as summaries could contain harmful clues about security issues.
> > My quick fix was to not list those bugs at all. However, I wanted to restore
> > the bug #'s themselves to the list (with a hidden summary). This brings up
> > a question of how much security is warranted:
> >
> > On the one hand, it could be argued that even seeing that there's a new
> > private (and therefore likely security) bug against a package may be giving
> > away too much information. "Oh, so bind has a new private bug in Fedora's
> > bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit
> > code before that gets fixed."
> >
> > The opposite side is that maintainers have come to use bugz.fp.o as a way to
> > quickly find and see what bugs exist in their packages. A maintainer that
> > depends on that could be unpleasantly surprised by the lack of private bugs
> > -- for instance, forgetting about a security bug because it's not listed on
> > bugz.fp.o or someone reviving an orphaned package unaware that it has
> > unresolved security bugs.
> >
> >
> > I'm posting here to get feedback on whether other maintainers use bugz.fp.o
> > like this and see this as a problem.  If so, I'll have FESCo decide whether
> > security or convenience/confusion is more important in this case.
> >
> > -Toshio
> >
> 
> I think either way would be fine, but what I'd also like to see is a 
> link for the query that one can click on and run within bugzilla using 
> their own bugzilla credentials.  That way they can get the full view of 
> potentially private items as well.
>
I'll look into this as well.  Since I'm using xmlrpc to make the query now,
it would help greatly if someone who knows bugzilla better can give me a URL
to template for this -- although I imagine it'll be some variant of the
standard search page so it shouldn't be too hard.

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110219/94e3b8ef/attachment.bin

More information about the devel mailing list