Re: Security reports in bugzilla?

On Mon, Dec 17, 2001 at 06:20:00PM -0500, Elliot Lee wrote:
> On 18 Dec 2001, Franck Martin wrote:
> > I have noticed that in bugzilla, you can't flag a problem as a
> > security problem. I think it would be important for gnome to report
> > bugs which may be security hazards. It becomes more and more important
> > that systems shows a high level of security, and that developers are
> > conscious of security implications in their development. As gnome
> > brings more and more features, it may evolve as a security nighmare
> > like windows products if we are not careful.
> > 
> > I think with the possibility to flag a problem as a security threat,
> > will bring the attention of the developers on limiting the security
> > problems of their applications.
> > 
> > What do you think?
> The biggest problem from my point of view is that there are not enough
> people to process the bugs that are filed, and adding a 'security' flag
> won't really help if there is nobody fixing the problems.
> There is a gnome-bugsquad list where people interested in helping sort
> through bugs can coordinate. There is also a bugzilla summary report every
> week on gnome-devel-list. At last count, there were around 6700 bugs open.

Franck -

I don't think this will really help the problem you'd like to
address. Some maintainers are quickly attentive to the bugs filed on
their packages. They are quick to notice a security bug whether there
is a flag or not, just as they are quick to notice and deal with other
bugs that are serious for a variety of reasons. Some packages have no
one paying attention to bugzilla, in which case a security flag won't help.

What we really need, as Elliot's been trying to encourage with his bug
nag reports, is more people paying attention to bugzilla.

John Fleck
jfleck inkstain net (h),
"A M00se once bit my sister..."

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]