| [eclipse.org-committers] Bugzilla: Security vulnerabilities and private, closed bugs |
|
Greetings, I've leveraged Bugzilla functionality to allow committers to discuss bugs related to security vulnerabilities in a private and closed fashion. Currently, this functionality is only implemented for the Platform project to keep everyone else's Bugzilla UI uncluttered, but it can be extended to any other project who has a need for this. Typically, when someone discovers a security-related issue, a bug is opened with an abstract description, allowing the committers to "hide" the bug from the public eye while the issue is discussed and a fix is prepared. The bug is opened to the public once a fix is generally available, and a security advisory has been issued. Please note that this closed discussion functionality must only be used to protect the general public from a security-related exploit. How does it work? When the "Committer-only group..." is checked (pictured below) the bug becomes private to Eclipse committers and, optionally, to the reporter and the CC list. Committers can add non-committers to the CC list to allow them to participate in the closed discussion. Removing the checkbox puts the bug back into the public eye, where it should be.  http://bugs.eclipse.org/223539 is what initiated this change in Bugzilla. Thanks, Denis -- Denis Roy Manager, IT Infrastructure Eclipse Foundation, Inc. -- http://www.eclipse.org/ Office: 613.224.9461 x224 (Eastern time) Cell: 819.210.6481 denis.roy@xxxxxxxxxxx |