On 2/15/11 4:29 PM, Toshio Kuratomi wrote: > https://fedorahosted.org/fesco/ticket/561 > > Recently, it was brought up to me that bugz.fp.o was showing summaries of > bugs that are marked private. This was probably revealing too much > information as summaries could contain harmful clues about security issues. > My quick fix was to not list those bugs at all. However, I wanted to restore > the bug #'s themselves to the list (with a hidden summary). This brings up > a question of how much security is warranted: > > On the one hand, it could be argued that even seeing that there's a new > private (and therefore likely security) bug against a package may be giving > away too much information. "Oh, so bind has a new private bug in Fedora's > bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit > code before that gets fixed." > > The opposite side is that maintainers have come to use bugz.fp.o as a way to > quickly find and see what bugs exist in their packages. A maintainer that > depends on that could be unpleasantly surprised by the lack of private bugs > -- for instance, forgetting about a security bug because it's not listed on > bugz.fp.o or someone reviving an orphaned package unaware that it has > unresolved security bugs. > > > I'm posting here to get feedback on whether other maintainers use bugz.fp.o > like this and see this as a problem. If so, I'll have FESCo decide whether > security or convenience/confusion is more important in this case. > > -Toshio >
I think either way would be fine, but what I'd also like to see is a link for the query that one can click on and run within bugzilla using their own bugzilla credentials. That way they can get the full view of potentially private items as well. If you go on the side of not showing all bugs (if you can detect that there are some private ones), perhaps show a admonition somewhere that not all bugs are shown, please log into bugzilla for the full view, otherwise don't show the admonition. -- Jesse Keating Fedora -- FreedomĀ² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel