Re: Security reports in bugzilla?

On Fri, 2001-12-21 at 17:43, Gregory Leblanc wrote:
> On Fri, 2001-12-21 at 03:35, Ross Golder wrote:
> > On Fri, 2001-12-21 at 10:47, Telsa Gwynne wrote:
> > > On Tue, Dec 18, 2001 at 10:32:39AM +0000 or thereabouts, Franck Martin wrote:
> > > > I think with the possibility to flag a problem as a security threat,
> > > > will bring the attention of the developers on limiting the security
> > > > problems of their applications.
> > > > 
> > > > What do you think?
> > > 
> > > I think that sticking the "gnome hackers only can see this bug" thing
> > > on would do. I'm pretty sure that's why it's there. It was set up 
> > > when we (where "we" means "Martin" :)) set bugzilla up.
> > 
> > Do you mean you would want to make security-related bug reports
> > non-public, and only viewable by an elite group?
> > 
> > Me no likey! :o) Better to open it up to a wider audience for a better
> > chance of getting it fixed.
> Well, I don't particularly like it either, but depending on the severity
> of the security issue, I can see it being "desirable".  If it's an issue
> that is fairly easy-to-exploit, having it open to the public is a Bad
> Thing, since Joe Black Hat Cracker can browse our bug system, and start
> exploiting bugs that exist in some large portion of our user base.  Even
> after we make a fix available, it could be quite some time before users
> manage to upgrade to a version that isn't vulnerable.  I'm really quite
> torn on which way things like this should go for the GNOME project.
> 	Greg

I know it's not exactly black and white, and I wish there was another
way, but we're either cathedral, or we're bazaar, and you know what kind
of security reputation cathedral projects have ;).

Basically, as this information really _must_ be in the public domain. If
I were to discover you guys had discovered, filed and sat on a security
bug (because of legitimate time constraints), I would be furious that
you didn't make the issue public so that I could at least take steps to
either fix it (and make a patch publicly available), or workaround the
problem locally so that it doesn't affect me.

We should have a security alerts mailling list so that people can't
blame us for not telling them there are security issues in their


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]