Re: Re-working group security

Hey Hey :)

Max Kanat-Alexander wrote:
The "hackers" group is itself now pretty much obsolete--there is a "developers" group that is inherited by anybody in any product-specific "developers" group.

I'd like to propose that we delete the "hackers" group, and any bugs currently assigned to it be re-assigned to the product-specific "developers" group for the product the bug is in, which is a more appropriate handling for security issues anyhow. (There are only 29 bugs that we'd have to move.)

    That sound OK?

Hm. I'm not really convinced that this is a good idea, but that might be due to my limited knowledge about Bugzilla. The usecase I have in mind is, that I (as a bugmaster) might want to set a bugreport to a somewhat more confidential level, although I am not a developer of that product. Will that be still possible?

After that, we may want to discuss how to adapt Bugzilla to be more appropriate for storing security and tracking issues for GNOME.
I talked to Owen a bit about this, and he mentioned that currently security issues are reported by sending an email to security gnome org,
Oh, didn't know that. We should increase its visibility. Who's subscribed there? Are there any published policies (like I'd be glad to help out building a security-researcher friendly infrastructure, but we should probably discuss that on a channel with more bandwidth.
Perhaps we should just auto-CC "security gnome org" on any bug filed with a restriction to a security group, and make it easier to file security bugs with an improved UI for it.

Sounds really good.

Thanks for all your work!

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]