Re: Security reports in bugzilla?

[John Fleck <jfleck inkstain net>]

On Mon, Dec 17, 2001 at 06:20:00PM -0500, Elliot Lee wrote:
> On 18 Dec 2001, Franck Martin wrote:
> 
> > I have noticed that in bugzilla, you can't flag a problem as a
> > security problem. I think it would be important for gnome to report
> > bugs which may be security hazards. It becomes more and more important
> > that systems shows a high level of security, and that developers are
> > conscious of security implications in their development. As gnome
> > brings more and more features, it may evolve as a security nighmare
> > like windows products if we are not careful.
> > 
> > I think with the possibility to flag a problem as a security threat,
> > will bring the attention of the developers on limiting the security
> > problems of their applications.
> > 
> > What do you think?
> 
> The biggest problem from my point of view is that there are not enough
> people to process the bugs that are filed, and adding a 'security' flag
> won't really help if there is nobody fixing the problems.
> 
> There is a gnome-bugsquad list where people interested in helping sort
> through bugs can coordinate. There is also a bugzilla summary report every
> week on gnome-devel-list. At last count, there were around 6700 bugs open.
> 

Franck -

I don't think this will really help the problem you'd like to
address. Some maintainers are quickly attentive to the bugs filed on
their packages. They are quick to notice a security bug whether there
is a flag or not, just as they are quick to notice and deal with other
bugs that are serious for a variety of reasons. Some packages have no
one paying attention to bugzilla, in which case a security flag won't help.

What we really need, as Elliot's been trying to encourage with his bug
nag reports, is more people paying attention to bugzilla.

Cheers,
-- 
John Fleck
jfleck inkstain net (h), http://www.inkstain.net/fleck/
"A M00se once bit my sister..."