On Thu, 18 Mar 2021, Sidney Markowitz wrote:
Given that the security purpose for that policy is not actually helped by it, and it is more convenient to close bugs when the fix has been tested and committed, I propose that we drop that policy.
I have no objections. Access to security issues in BZ is restricted so that seems an exercise in security through obscurity.
Are there guidelines for how to (not) comment on the commit that fixes a CVE? Blocking public access to a bug doesn't help obscure the fix if the public comment on the fix commit is referencing a locked security bug...
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [email protected] pgpk -a [email protected] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Then there's that look that your cat gives you when you make six grammatical errors and two pronunciation errors in one sentence when you meow back at him. ----------------------------------------------------------------------- 291 days since the first private commercial manned orbital mission (SpaceX)
