Re: Security reports in bugzilla?

[Telsa Gwynne <hobbit aloss ukuu org uk>]

On Tue, Dec 18, 2001 at 10:32:39AM +0000 or thereabouts, Franck Martin wrote:
> I have noticed that in bugzilla, you can't flag a problem as a security
> problem. I think it would be important for gnome to report bugs which
> may be security hazards. It becomes more and more important that systems
> shows a high level of security, and that developers are conscious of
> security implications in their development. As gnome brings more and
> more features, it may evolve as a security nighmare like windows
> products if we are not careful.
> 
> I think with the possibility to flag a problem as a security threat,
> will bring the attention of the developers on limiting the security
> problems of their applications.
> 
> What do you think?

I think that sticking the "gnome hackers only can see this bug" thing
on would do. I'm pretty sure that's why it's there. It was set up 
when we (where "we" means "Martin" :)) set bugzilla up.

You can have groups of users in bugzilla and say "only this/these"
groups can see this bug". The groups in ours are pretty limited:
there's gnome hackers and there's bugzilla maintainers. There's
little reason for more. I have never seen the gnome-hackers group
used, but then it shouldn't be needed generally. It is there just
in case. 

The initial make-up of the gnome-hackers group on bugzilla was 
something like "everyone on the mailing list who also has an
identifiable bugzilla account", I think. I've occasionally added 
people when they've asked for bugzilla accounts and I remember
they're on g-h mailing list.

Entirely separate from bugzilla, there is also a security gnome org 
email address. I know there is, because last year I wondered "what 
happens if someone tries to send stuff there?", sent an "anyone there?" 
message and got responses within a few minutes :)

Telsa