[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[eclipse.org-architecture-council] [Bug 337005] New: Security procedures: Reporting
- From: bugzilla-daemon@xxxxxxxxxxx
- Date: Fri, 11 Feb 2011 15:10:08 -0500
- Auto-submitted: auto-generated
- Delivered-to: firstname.lastname@example.org
Product/Component: Community / Architecture Council
Summary: Security procedures: Reporting
Classification: Eclipse Foundation
Component: Architecture Council
Our bugzilla instance is configured such that projects can request the ability
to mark bugs as "committers-only". This restricts visibility of the bug to
eclipse.org committers, the bug reporter, assignee, people in the cc list, etc.
(i.e. committers and anybody else explicitly listed).
To report a security issue with an Eclipse project, the reporter needs to
explicitly flip this bit (it appears at the bottom of the submit page). AFAIK,
this is not represented in Mylyn.
Perhaps we can encourage projects to provide a link that has this bit flipped
How do we handle bugs from a user who doesn't know what project to report
against? Should we make a "security" email alias that forward to a trusted
"inner circle" (you'll find that I use this term a lot) who can do the initial
At the moment, the ability to mark a bug as "committers-only" is on a
project-by-project basis (you have to ask the Webmaster). AFAIK, this was done
to avoid adding additional complexity to the reporting page. Should we just
enable this for all projects?
At the moment, we have 36 bugs marked as "committers-only". IMHO, many of these
do not need to be marked as such (in fact, I would go so far as to say that
they are incorrectly marked as such).
Ultimately, once a conclusion has been reached, I believe that the
"committers-only" flag should be cleared on all bugs. When that happens is an
interesting question that I'll create another bug for discussion.
Configure bugmail: https://bugs.eclipse.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.