#561 Should bugz.fedoraproject.org give links to security/private bugs?
Closed None Opened 10 years ago by toshio.

= Proposal topic =

Recently, it was brought up to me that bugz.fp.o was showing summaries of bugs that are marked private. This was probably revealing too much information as summaries could contain harmful clues about security issues. My quick fix was to not list those bugs at all. However, I wanted to restore the bug #'s themselves to the list (with a hidden summary). This brings up a question of how much security is warranted:

On the one hand, it could be argued that even seeing that there's a new private (and therefore likely security) bug against a package may be giving away too much information. "Oh, so bind has a new private bug in Fedora's bugzilla? I wonder if I can ask my blackhat contacts for some bind exploit code before that gets fixed."

The opposite side is that maintainers have come to use bugz.fp.o as a way to quickly find and see what bugs exist in their packages. A maintainer that depends on that could be unpleasantly surprised by the lack of private bugs -- for instance, forgetting about a security bug because it's not listed on bugz.fp.o or someone reviving an orphaned package unaware that it has unresolved security bugs.

I'll ask for feedback on devel@l.fp.o to see if maintainers other than me use the bugz list in this manner. If so I'll ask FESCo to make a decision about whether showing the bug numbers but not the contents of the bug is acceptable or not.

FESCo is ok with showing the bug numbers and/or some other solution like a disclaimer and link to the raw bugzilla query.

In the previous discussions, it was pointed out that we want to remove some of the pkgdb BZ user's privileges (e.g. it should not see bugs restricted only to the security group). The plan is to work with RH bugzilla folks to see how to remove unneeded privileges without breaking existing uses.

There may be a separate additional discussion on non-security private bugs, as this issue was raised by a person not being able to access Fedora bug restricted to RH internal groups. While BZ is configured to allow some RH internal groups to be selected for Fedora bugs (historical reasons possibly?), I wonder if they are still expected to be used.

We've spent too much time on this already.

Let's just remove the security group from Fedora bugs. We don't support embargoed security flaws in Fedora. If having that group there is going to create problems like this, take it out.

There's no sense in arguing about if we should or shouldn't be showing something that shouldn't even exist in the first place.

Removing the security group from Fedora bugs will not fix the problem of the pkgdb user being able to view bugs it should not be allowed to view, filed against any product in bugzilla.r.c.

Login to comment on this ticket.