Re: Security reports in bugzilla?
- From: Telsa Gwynne <hobbit aloss ukuu org uk>
- To: gnome-2-0-list gnome org, gnome-devel-list gnome org
- Subject: Re: Security reports in bugzilla?
- Date: Sun, 23 Dec 2001 16:19:28 +0000
On Mon, Dec 24, 2001 at 02:59:45AM +0000 or thereabouts, Franck Martin wrote:
> On Sun, 2001-12-23 at 14:09, Telsa Gwynne wrote:
Just to clarify for people thinking ~Eh?" -- I did write all that.
In private mail. I thought it was off-topic for the lists which
is why I didn't send it here (wherever you are reading this) in
the first place.
So I have snipped it all out again. :)
I really do know the difference between mutt's (r)eply, (g)roup-reply
and <L)list-reply options. And people keep assuming I meant to send
off-list replies to the lists and helpfully resending them for me.
> I think bugzilla should allow the possibility to flag somethng as
> security vulnerability, or there should be a big statement on the gnome
> web page on what to do if you find somethng insecure...
> Gnome needs a clear open policy about security issues.
I agree that we need a policy everyone knows about, and a link
on www.gnome.org to it once it's around.
As to how/why bugzilla does it currently, it was hashed out on
gnome-hackers when it was set up. I went to check from saved
mail and found 250+ messages in the threads about bugzilla
setup and bug-handling (and that's just those I bothered to
save!), so it will take a little longer than I thought to go
and check why we didn't put a security severity in in the
first place. I rather suspect we thought people would be
using priority and severity more than they appear to and
that "critical" would do. But I am looking now.
I am still not sure these are the right lists to use for discussion:
at the very least we could drop one of them from the cc line.
Suggestions on the best place to take this appreciated.
] [Thread Prev