Security disclosure - let's resolve this
Mike Shaver
Mitchell Stoltz wrote:
>
> If possible, let's make it so that the reporter and anyone CC'd on the bug should
> be able to see it, regardless of their membership in the security group. We
> should also have an understanding about adding people to the group...I would
> propose that any member of the group can add new members, but should email the
> group and make sure there's no objections. No formal voting or anything, just a
> simple "is this okay with everyone" and then proceed in the absence of
> objections. Sound good?
Sounds fantastic, but it's not the same as ``anyone who can confirm
bugs''. I'm happy with it, myself, just wanted to make sure that it was
an intentional difference.
So we need:
- a security group -- I'll go define that now, with (shaver, mstoltz,
mitchell, blizzard, brendan) as the initial membership.
- hacks to bugzilla such that:
= anyone can mark a bug security-confidential, including during initial
report
= anyone on the Cc/Assigned/QA-contact/reporter lists can see the bug
= anyone in the security group can unmark the bug
Any takers on bugzilla hacking for the latter?
Mike
--
2026060.30 1573923.61
Mike Shaver
>
> Hmm, guess I'm not sure either. Do people think we should have a "security group" or
> should it be "anyone who can confirm bugs?" I think either one would be fine. Sorry
> for the confusion.
Let's have it be a "security group" now, and let the temptation for
wider access guide our hand in liberal additions to the list. As the
set of people in the list approaches a decent portion (10%, even?) of
the can-confirm population, we can revisit this decision.
Mike
--
2028586.08 1576124.11