[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[eclipse.org-architecture-council] [Bug 337005] New: Security procedures: Reporting

https://bugs.eclipse.org/bugs/show_bug.cgi?id=337005
Product/Component: Community / Architecture Council

           Summary: Security procedures: Reporting
    Classification: Eclipse Foundation
           Product: Community
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Architecture Council
        AssignedTo: eclipse.org-architecture-council@xxxxxxxxxxx
        ReportedBy: wayne@xxxxxxxxxxx
            Blocks: 337004


Our bugzilla instance is configured such that projects can request the ability
to mark bugs as "committers-only". This restricts visibility of the bug to
eclipse.org committers, the bug reporter, assignee, people in the cc list, etc.
(i.e. committers and anybody else explicitly listed).

To report a security issue with an Eclipse project, the reporter needs to
explicitly flip this bit (it appears at the bottom of the submit page). AFAIK,
this is not represented in Mylyn.

Perhaps we can encourage projects to provide a link that has this bit flipped
on automatically.

How do we handle bugs from a user who doesn't know what project to report
against? Should we make a "security" email alias that forward to a trusted
"inner circle" (you'll find that I use this term a lot) who can do the initial
triage?

At the moment, the ability to mark a bug as "committers-only" is on a
project-by-project basis (you have to ask the Webmaster). AFAIK, this was done
to avoid adding additional complexity to the reporting page. Should we just
enable this for all projects?

At the moment, we have 36 bugs marked as "committers-only". IMHO, many of these
do not need to be marked as such (in fact, I would go so far as to say that
they are incorrectly marked as such).

Ultimately, once a conclusion has been reached, I believe that the
"committers-only" flag should be cleared on all bugs. When that happens is an
interesting question that I'll create another bug for discussion.

-- 
Configure bugmail: https://bugs.eclipse.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.