Re: Security reports in bugzilla?

On Fri, 2001-12-21 at 05:47, Telsa Gwynne wrote:
> On Tue, Dec 18, 2001 at 10:32:39AM +0000 or thereabouts, Franck Martin wrote:
> > I have noticed that in bugzilla, you can't flag a problem as a security
> > problem. I think it would be important for gnome to report bugs which
> > may be security hazards. It becomes more and more important that systems
> > shows a high level of security, and that developers are conscious of
> > security implications in their development. As gnome brings more and
> > more features, it may evolve as a security nighmare like windows
> > products if we are not careful.
> > 
> > I think with the possibility to flag a problem as a security threat,
> > will bring the attention of the developers on limiting the security
> > problems of their applications.
> > 
> > What do you think?
> I think that sticking the "gnome hackers only can see this bug" thing
> on would do. I'm pretty sure that's why it's there. It was set up 
> when we (where "we" means "Martin" :)) set bugzilla up.

The shortcoming of this approach is that there is no way to do a search
on what groups a bug is limited by. This problem can be solved (we do it
here with a custom search page) but it's still not the ideal solution.
Additionally, once the bug is fixed and (presumably) no longer in the
group it's impossible to track and deal with later.

Just my two cents...

> You can have groups of users in bugzilla and say "only this/these"
> groups can see this bug". The groups in ours are pretty limited:
> there's gnome hackers and there's bugzilla maintainers. There's
> little reason for more. I have never seen the gnome-hackers group
> used, but then it shouldn't be needed generally. It is there just
> in case. 
> The initial make-up of the gnome-hackers group on bugzilla was 
> something like "everyone on the mailing list who also has an
> identifiable bugzilla account", I think. I've occasionally added 
> people when they've asked for bugzilla accounts and I remember
> they're on g-h mailing list.
> Entirely separate from bugzilla, there is also a security gnome org 
> email address. I know there is, because last year I wondered "what 
> happens if someone tries to send stuff there?", sent an "anyone there?" 
> message and got responses within a few minutes :)
> Telsa
> _______________________________________________
> gnome-2-0-list mailing list
> gnome-2-0-list gnome org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]