Re: Crypto/Security component in Bugzilla
> "Mark" == Mark Wielaard <[EMAIL PROTECTED]> writes: Mark> In that case it seems we don't need a keyword or meta-bug but just a new Mark> 'security' component covering java.security.* (Permissions, Policies, Mark> SecurityManager)? As I recall the discussion was about security as cross-cutting concern -- not exactly (or just) java.security but also security issues anywhere in the library. Tom
Re: Crypto/Security component in Bugzilla
On Wed, 2006-02-01 at 20:01 -0500, Andrew Pinski wrote: > On Feb 1, 2006, at 7:52 PM, Tom Tromey wrote: > > I thought this question was more about "security" in the sense of > > "bugs we know of in our security code", not "security flaws requiring > > a quick turnaround". > > Likewise. After reading Casey's email that Mark responded to. In that case it seems we don't need a keyword or meta-bug but just a new 'security' component covering java.security.* (Permissions, Policies, SecurityManager)? Cheers, Mark signature.asc Description: This is a digitally signed message part
Re: Crypto/Security component in Bugzilla
On Feb 1, 2006, at 5:01 PM, Andrew Pinski wrote: On Feb 1, 2006, at 7:52 PM, Tom Tromey wrote: I thought this question was more about "security" in the sense of "bugs we know of in our security code", not "security flaws requiring a quick turnaround". Likewise. After reading Casey's email that Mark responded to. Yeah, that was what I meant. Because the Java security model potentially touches everything, and isn't exactly a "component."
Re: Crypto/Security component in Bugzilla
On Feb 1, 2006, at 7:52 PM, Tom Tromey wrote: I thought this question was more about "security" in the sense of "bugs we know of in our security code", not "security flaws requiring a quick turnaround". Likewise. After reading Casey's email that Mark responded to. -- Pinski
Re: Crypto/Security component in Bugzilla
> "Mark" == Mark Wielaard <[EMAIL PROTECTED]> writes: Mark> Maybe Andrew (one of the gcc bug-masters) can advise us on when to add a Mark> new keyword and when to use meta-bugs. How do other projects handle Mark> security issues/bug reports in their issue trackers? Often serious security issues aren't filed at all, but instead the maintainers are contacted privately, and the fixes are embargoed until a certain date. I thought this question was more about "security" in the sense of "bugs we know of in our security code", not "security flaws requiring a quick turnaround". Tom
Re: Crypto/Security component in Bugzilla
Hi Casey, On Wed, 2006-02-01 at 13:00 -0800, Casey Marshall wrote: > It's just that crypto/ssl is a large part of > Classpath now, so it makes sense that it have it's own component (and > bugs!). You got it! There is a new 'crypto' component for the 'classpath' product now with you as default owner. But feel free to reassign any bugs reported against it to others after initial analysis. > > And maybe a "security" keyword that describes > > direct security issues? > > > > For security right now we have a meta-bug which depends on all the > > security issues -- PR 13603. This is a bit weird since this > > predates classpath using bugzilla, and is filed against gcj. > > > > I don't know the pros and cons of meta-bugs versus keywords. I'm > > fine with whatever works. Maybe Andrew (one of the gcc bug-masters) can advise us on when to add a new keyword and when to use meta-bugs. How do other projects handle security issues/bug reports in their issue trackers? Cheers, Mark signature.asc Description: This is a digitally signed message part
Re: Crypto/Security component in Bugzilla
On Feb 1, 2006, at 12:25 PM, Tom Tromey wrote: "Casey" == Casey Marshall <[EMAIL PROTECTED]> writes: Casey> Any thoughts on adding a "crypto" or "security" component to Casey> Classpath Bugzilla? And maybe a "security" keyword that describes Casey> direct security issues? For a new component I think we generally want to have a default owner for the bugs. In any case, if you think it is worthwhile, then I'm for it. I can be the default owner of those bugs. Or maybe Raif, if he wants to. The two of us wrote the bulk of the crypto code. For security right now we have a meta-bug which depends on all the security issues -- PR 13603. This is a bit weird since this predates classpath using bugzilla, and is filed against gcj. I don't know the pros and cons of meta-bugs versus keywords. I'm fine with whatever works. That's not a big deal. It's just that crypto/ssl is a large part of Classpath now, so it makes sense that it have it's own component (and bugs!).
Re: Crypto/Security component in Bugzilla
> "Casey" == Casey Marshall <[EMAIL PROTECTED]> writes: Casey> Any thoughts on adding a "crypto" or "security" component to Casey> Classpath Bugzilla? And maybe a "security" keyword that describes Casey> direct security issues? For a new component I think we generally want to have a default owner for the bugs. In any case, if you think it is worthwhile, then I'm for it. For security right now we have a meta-bug which depends on all the security issues -- PR 13603. This is a bit weird since this predates classpath using bugzilla, and is filed against gcj. I don't know the pros and cons of meta-bugs versus keywords. I'm fine with whatever works. Casey> I don't know how to do this, so really I'm batting my eyelashes at Casey> whoever does know. Mark has the needed privileges. Tom
Crypto/Security component in Bugzilla
Any thoughts on adding a "crypto" or "security" component to Classpath Bugzilla? And maybe a "security" keyword that describes direct security issues? I don't know how to do this, so really I'm batting my eyelashes at whoever does know.