Re: Security reports in bugzilla?
- From: Bill Haneman <bill haneman sun com>
- Cc: gnome-devel-list gnome org, gnome-bugsquad gnome org
- Subject: Re: Security reports in bugzilla?
- Date: Wed, 19 Dec 2001 10:38:32 +0000
I think that a 'security' keyword in bugzilla would be a very good idea
regardless of how we proceed. There are some people and organizations
that will be particularly interested in security-related bugs and it's
good to have a consistent way of keeping tabs on them. It seems to me
that we don't have a consistently-used "security" keyword at the moment,
perhaps I missed something.
> Franck Martin wrote:
> May I make an analogy:
> It is not because a country doesn't know how to deal with AIDS that
> the country does not make a census to know how many cases there are.
> The first step to tackle AIDS in many developing countries is to know
> the extend of the problem.
> I think getting statistics on the number of security issues present in
> Gnome over time will help... Usually security bugs in common libraries
> are quickly patched by security experts, if you can provide an
> interface via bugzilla to record the security problem and the fix,
> then you will attract these security experts to Gnome.
> Cf last announcement of the GLIBC buffer overflow.
> Eliot, you do a great Job with your bug nag, at least you show the
> extend of the problem. If you want to nag more you can do the
> following presentation:
> application | number of bugs open | oldest bug in bugzilla | number of
> security bugs open
> franck sopac org
> On Tue, 2001-12-18 at 14:19, Sander Vesik wrote:
> On Tue, 18 Dec 2001, Franck Martin wrote:
> > I know the bugsquad team is overloaded, and there are many bug out there,
> > BUT you shouldn't ignore the problem. Let's flag it and see what we can do
> > later.
> This sounds presently as running an advertisement 'will drag in all wooden
> horses and not inspect the contents' on our city gates...
> > It is importnat for gnome to be a security concious development platform.
> Yes, but it presently isn't, as evidenced by not having any formal way of
> dealing with security problem a and not even having a designated
] [Thread Prev