|

Gnome - Bugsquad

Re-working group security

View: New views

4 Messages — Rating Filter: Alert me

	Re-working group security by Max Kanat-Alexander :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hey folks. You may notice that every bug seems to have three groups available now that you can secure it to (well, maybe two if you're only a developer, but three if you're a Bugzilla admin): * Bugzilla Maintainers. * The Product's developers group. * The "hackers" group. The "hackers" group is itself now pretty much obsolete--there is a "developers" group that is inherited by anybody in any product-specific "developers" group. I'd like to propose that we delete the "hackers" group, and any bugs currently assigned to it be re-assigned to the product-specific "developers" group for the product the bug is in, which is a more appropriate handling for security issues anyhow. (There are only 29 bugs that we'd have to move.) That sound OK? After that, we may want to discuss how to adapt Bugzilla to be more appropriate for storing security and tracking issues for GNOME. I talked to Owen a bit about this, and he mentioned that currently security issues are reported by sending an email to security@..., but this seems somewhat error-prone and hard to track as a developer, and doesn't give you all the facilities of Bugzilla. Perhaps we should just auto-CC "security@..." on any bug filed with a restriction to a security group, and make it easier to file security bugs with an improved UI for it. -Max -- http://www.everythingsolved.com/ Competent, Friendly Bugzilla and Perl Services. Everything Else, too. _______________________________________________ Gnome-bugsquad mailing list Gnome-bugsquad@... http://mail.gnome.org/mailman/listinfo/gnome-bugsquad
	Re: Re-working group security by Tobias Mueller-6 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hey Hey :) Max Kanat-Alexander wrote: > The "hackers" group is itself now pretty much obsolete--there is a > "developers" group that is inherited by anybody in any product-specific > "developers" group. > > I'd like to propose that we delete the "hackers" group, and any bugs > currently assigned to it be re-assigned to the product-specific > "developers" group for the product the bug is in, which is a more > appropriate handling for security issues anyhow. (There are only 29 bugs > that we'd have to move.) > > That sound OK? > Hm. I'm not really convinced that this is a good idea, but that might be due to my limited knowledge about Bugzilla. The usecase I have in mind is, that I (as a bugmaster) might want to set a bugreport to a somewhat more confidential level, although I am not a developer of that product. Will that be still possible? > After that, we may want to discuss how to adapt Bugzilla to be more > appropriate for storing security and tracking issues for GNOME. yay > I talked to Owen a bit about this, and he mentioned that currently security > issues are reported by sending an email to security@..., Oh, didn't know that. We should increase its visibility. Who's subscribed there? Are there any published policies (like http://www.kde.org/info/security/policy.php)? I'd be glad to help out building a security-researcher friendly infrastructure, but we should probably discuss that on a channel with more bandwidth. > Perhaps we should just auto-CC > "security@..." on any bug filed with a restriction to a security > group, and make it easier to file security bugs with an improved UI for it. > Sounds really good. Thanks for all your work! Tobi _______________________________________________ Gnome-bugsquad mailing list Gnome-bugsquad@... http://mail.gnome.org/mailman/listinfo/gnome-bugsquad signature.asc (267 bytes) Download Attachment
	Re: Re-working group security by Max Kanat-Alexander :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Tobias Mueller wrote: > Hm. I'm not really convinced that this is a good idea, but that might be > due to my limited knowledge about Bugzilla. The usecase I have in mind > is, that I (as a bugmaster) might want to set a bugreport to a somewhat > more confidential level, although I am not a developer of that product. > Will that be still possible? As a bugmaster, if you're an admin, you can restrict a bug to any group. Also, we would make it so that anybody could file a bug into these groups, if we decided to start using them for security purposes. > I'd be glad to help out building a security-researcher friendly > infrastructure, but we should probably discuss that on a channel with > more bandwidth. Any suggestions for what would be a good channel? -Max -- http://www.everythingsolved.com/ Competent, Friendly Bugzilla and Perl Services. Everything Else, too. _______________________________________________ Gnome-bugsquad mailing list Gnome-bugsquad@... http://mail.gnome.org/mailman/listinfo/gnome-bugsquad
	Re: Re-working group security by Max Kanat-Alexander :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message So, since there haven't been any objections raised in the thread that weren't addressed, I'll be removing the "hackers" group in the next few days and just letting people secure bugs to their own groups, unless there are any objections. -Max -- http://www.everythingsolved.com/ Competent, Friendly Bugzilla and Perl Services. Everything Else, too. _______________________________________________ gnome-bugsquad mailing list gnome-bugsquad@... http://mail.gnome.org/mailman/listinfo/gnome-bugsquad