Should bugz.fp.o give links to security/private bugs?

Toshio Kuratomi a.badger at
Sat Feb 19 18:34:20 UTC 2011

On Wed, Feb 16, 2011 at 09:14:19AM -0800, Jesse Keating wrote:
> On 2/15/11 4:29 PM, Toshio Kuratomi wrote:
> >
> >
> > Recently, it was brought up to me that bugz.fp.o was showing summaries of
> > bugs that are marked private. This was probably revealing too much
> > information as summaries could contain harmful clues about security issues.
> > My quick fix was to not list those bugs at all. However, I wanted to restore
> > the bug #'s themselves to the list (with a hidden summary). This brings up
> > a question of how much security is warranted:
> >
> > On the one hand, it could be argued that even seeing that there's a new
> > private (and therefore likely security) bug against a package may be giving
> > away too much information. "Oh, so bind has a new private bug in Fedora's
> > bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit
> > code before that gets fixed."
> >
> > The opposite side is that maintainers have come to use bugz.fp.o as a way to
> > quickly find and see what bugs exist in their packages. A maintainer that
> > depends on that could be unpleasantly surprised by the lack of private bugs
> > -- for instance, forgetting about a security bug because it's not listed on
> > bugz.fp.o or someone reviving an orphaned package unaware that it has
> > unresolved security bugs.
> >
> >
> > I'm posting here to get feedback on whether other maintainers use bugz.fp.o
> > like this and see this as a problem.  If so, I'll have FESCo decide whether
> > security or convenience/confusion is more important in this case.
> >
> > -Toshio
> >
> I think either way would be fine, but what I'd also like to see is a 
> link for the query that one can click on and run within bugzilla using 
> their own bugzilla credentials.  That way they can get the full view of 
> potentially private items as well.
I'll look into this as well.  Since I'm using xmlrpc to make the query now,
it would help greatly if someone who knows bugzilla better can give me a URL
to template for this -- although I imagine it'll be some variant of the
standard search page so it shouldn't be too hard.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : 

More information about the devel mailing list