Hey Hey :) Max Kanat-Alexander wrote:
The "hackers" group is itself now pretty much obsolete--there is a "developers" group that is inherited by anybody in any product-specific "developers" group.Hm. I'm not really convinced that this is a good idea, but that might be due to my limited knowledge about Bugzilla. The usecase I have in mind is, that I (as a bugmaster) might want to set a bugreport to a somewhat more confidential level, although I am not a developer of that product. Will that be still possible?I'd like to propose that we delete the "hackers" group, and any bugs currently assigned to it be re-assigned to the product-specific "developers" group for the product the bug is in, which is a more appropriate handling for security issues anyhow. (There are only 29 bugs that we'd have to move.)That sound OK?
After that, we may want to discuss how to adapt Bugzilla to be more appropriate for storing security and tracking issues for GNOME.
I talked to Owen a bit about this, and he mentioned that currently security issues are reported by sending an email to security gnome org,Oh, didn't know that. We should increase its visibility. Who's subscribed there? Are there any published policies (like http://www.kde.org/info/security/policy.php)? I'd be glad to help out building a security-researcher friendly infrastructure, but we should probably discuss that on a channel with more bandwidth.
Perhaps we should just auto-CC "security gnome org" on any bug filed with a restriction to a security group, and make it easier to file security bugs with an improved UI for it.
Sounds really good. Thanks for all your work! Tobi
Description: OpenPGP digital signature