Re: Security reports in bugzilla?



Hi :

I think that a 'security' keyword in bugzilla would be a very good idea
regardless of how we proceed.  There are some people and organizations
that will be particularly interested in security-related bugs and it's
good to have a consistent way of keeping tabs on them.  It seems to me
that we don't have a consistently-used "security" keyword at the moment,
perhaps I missed something.

-Bill

> Franck Martin wrote:
> 
> Sander,
> 
> May I make an analogy:
> 
> It is not because a country doesn't know how to deal with AIDS that
> the country does not make a census to know how many cases there are.
> 
> The first step to tackle AIDS in many developing countries is to know
> the extend of the problem.
> 
> I think getting statistics on the number of security issues present in
> Gnome over time will help... Usually security bugs in common libraries
> are quickly patched by security experts, if you can provide an
> interface via bugzilla to record the security problem and the fix,
> then you will attract these security experts to Gnome.
> 
> Cf last announcement of the GLIBC buffer overflow.
> 
> Eliot, you do a great Job with your bug nag, at least you show the
> extend of the problem. If you want to nag more you can do the
> following presentation:
> 
> application | number of bugs open | oldest bug in bugzilla | number of
> security bugs open
> 
> Cheers.
> franck sopac org
> 
> On Tue, 2001-12-18 at 14:19, Sander Vesik wrote:
> 
>      On Tue, 18 Dec 2001, Franck Martin wrote:
> 
>      >
>      > I know the bugsquad team is overloaded, and there are many bug out there,
>      > BUT you shouldn't ignore the problem. Let's flag it and see what we can do
>      > later.
>      >
> 
>      This sounds presently as running an advertisement 'will drag in all wooden
>      horses and not inspect the contents' on our city gates...
> 
>      > It is importnat for gnome to be a security concious development platform.
>      >
> 
>      Yes, but it presently isn't, as evidenced by not having any formal way of
>      dealing with security problem a and not even having a designated
>      contact...



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]