Re: Security reports in bugzilla?

[Gregory Leblanc <gleblanc linuxweasel com>]

On Fri, 2001-12-21 at 03:35, Ross Golder wrote:
> On Fri, 2001-12-21 at 10:47, Telsa Gwynne wrote:
> > On Tue, Dec 18, 2001 at 10:32:39AM +0000 or thereabouts, Franck Martin wrote:
> > > I think with the possibility to flag a problem as a security threat,
> > > will bring the attention of the developers on limiting the security
> > > problems of their applications.
> > > 
> > > What do you think?
> > 
> > I think that sticking the "gnome hackers only can see this bug" thing
> > on would do. I'm pretty sure that's why it's there. It was set up 
> > when we (where "we" means "Martin" :)) set bugzilla up.
> 
> Do you mean you would want to make security-related bug reports
> non-public, and only viewable by an elite group?
> 
> Me no likey! :o) Better to open it up to a wider audience for a better
> chance of getting it fixed.

Well, I don't particularly like it either, but depending on the severity
of the security issue, I can see it being "desirable".  If it's an issue
that is fairly easy-to-exploit, having it open to the public is a Bad
Thing, since Joe Black Hat Cracker can browse our bug system, and start
exploiting bugs that exist in some large portion of our user base.  Even
after we make a fix available, it could be quite some time before users
manage to upgrade to a version that isn't vulnerable.  I'm really quite
torn on which way things like this should go for the GNOME project.
	Greg

-- 
Portland, Oregon, USA.