On 01/30/2012 02:49 AM, Martin Pool wrote: > This all sounds much clearer. I guess you're going to blog about it? > > On 27 January 2012 07:17, curtis Hovey <curtis.ho...@canonical.com> wrote: >> I expect to see something like this >> when I open the visibility picker for a bug: >> >> Public >> Everyone can see this bug >> Unembargoed Security >> Everyone can see this resolved security related bug >> Embargoed Security >> Only users in the project's security policy can see this bug >> User data >> Only users in the project's user data policy can see this bug >> Proprietary >> Only users in the project's proprietary policy can see this bug > > Is there an ordering or relation between these? What if it's a > security bug that also happens to contain private user data? Probably > it should never become public, but if the ordering is not clear in the > ui people might get it wrong.
We rely on ourselves to determine security and user-data issues contained in a bug. If user-data cannot be removed from the bug, common practice it to report a separate bug to track the security issue. This is the same practice that proprietary projects do now when partners/customers report bugs that pertain to a security issue because the relationship with the partner is confidential. -- Curtis Hovey http://launchpad.net/~sinzui
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : launchpad-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
