Re: Security reports in bugzilla?
- From: Gregory Leblanc <gleblanc linuxweasel com>
- Cc: gnome-2-0-list gnome org, gnome-devel-list gnome org
- Subject: Re: Security reports in bugzilla?
- Date: 21 Dec 2001 09:43:02 -0800
On Fri, 2001-12-21 at 03:35, Ross Golder wrote:
> On Fri, 2001-12-21 at 10:47, Telsa Gwynne wrote:
> > On Tue, Dec 18, 2001 at 10:32:39AM +0000 or thereabouts, Franck Martin wrote:
> > > I think with the possibility to flag a problem as a security threat,
> > > will bring the attention of the developers on limiting the security
> > > problems of their applications.
> > >
> > > What do you think?
> > I think that sticking the "gnome hackers only can see this bug" thing
> > on would do. I'm pretty sure that's why it's there. It was set up
> > when we (where "we" means "Martin" :)) set bugzilla up.
> Do you mean you would want to make security-related bug reports
> non-public, and only viewable by an elite group?
> Me no likey! :o) Better to open it up to a wider audience for a better
> chance of getting it fixed.
Well, I don't particularly like it either, but depending on the severity
of the security issue, I can see it being "desirable". If it's an issue
that is fairly easy-to-exploit, having it open to the public is a Bad
Thing, since Joe Black Hat Cracker can browse our bug system, and start
exploiting bugs that exist in some large portion of our user base. Even
after we make a fix available, it could be quite some time before users
manage to upgrade to a version that isn't vulnerable. I'm really quite
torn on which way things like this should go for the GNOME project.
Portland, Oregon, USA.
] [Thread Prev