Re: Security reports in bugzilla?

[Telsa Gwynne <hobbit aloss ukuu org uk>]

On Mon, Dec 24, 2001 at 02:59:45AM +0000 or thereabouts, Franck Martin wrote:
> On Sun, 2001-12-23 at 14:09, Telsa Gwynne wrote:

Just to clarify for people thinking ~Eh?" -- I did write all that.
In private mail. I thought it was off-topic for the lists which
is why I didn't send it here (wherever you are reading this) in
the first place. 

So I have snipped it all out again. :)

I really do know the difference between mutt's (r)eply, (g)roup-reply
and <L)list-reply options. And people keep assuming I meant to send 
off-list replies to the lists and helpfully resending them for me. 

> I think bugzilla should allow the possibility to flag somethng as
> security vulnerability, or there should be a big statement on the gnome
> web page on what to do if you find somethng insecure...
> 
> Gnome needs a clear open policy about security issues.

I agree that we need a policy everyone knows about, and a link
on www.gnome.org to it once it's around. 

As to how/why bugzilla does it currently, it was hashed out on 
gnome-hackers when it was set up. I went to check from saved
mail and found 250+ messages in the threads about bugzilla
setup and bug-handling (and that's just those I bothered to 
save!), so it will take a little longer than I thought to go 
and check why we didn't put a security severity in in the 
first place. I rather suspect we thought people would be
using priority and severity more than they appear to and 
that "critical" would do. But I am looking now. 

I am still not sure these are the right lists to use for discussion:
at the very least we could drop one of them from the cc line.
Suggestions on the best place to take this appreciated.

Telsa