On 02/17/2017 12:23 PM, Shyam wrote:
On 02/15/2017 08:06 PM, Shyam wrote:
On 02/15/2017 04:27 PM, Amye Scavarda wrote:
On Wed, Feb 8, 2017 at 11:04 AM, Shyam <[email protected]
<mailto:[email protected]>> wrote:
How does Github help a project with something like a zero-day issue that
needs to be fixed but can't be public?
Or other security issues?
Does a [email protected] like list help here? People who are
reporting security vulnerabilities are also responsible not to make it
public (I think), so reaching out to a mailing list that is more
strictly controlled may help here?
Added misc, as he had some good observations in the bug report against
infra [2] that was filed.
Currently security CVEs seem to reach us through here,
RH Bugzilla: Product "Security response", Component "vulnerability"
example: https://bugzilla.redhat.com/show_bug.cgi?id=1138145
example: https://bugzilla.redhat.com/show_bug.cgi?id=1200927
I think the above does not change with this proposed move to gthub. Is
there something I am missing?
Here is another thought for the above and also for questions on "where
will users upload logs/cores or any such data".
Let's use bugzilla for security related bugs, this can be clarified in
the issue template (see [1]).
Let's also add to the template that a bug can be opened to attach issue
related content and referenced in the issue and vice-verse. This is not
an additional step in any case, as the user has to go to some site/place
to upload the logs and point us to that when needed.
Thoughts? This can be discussed in isolation of "are we going to github
for bugs now?" discussion I hope :)
Shyam
[1] github issue and PR templates: https://review.gluster.org/16618
[2] BZ against Infra: https://bugzilla.redhat.com/show_bug.cgi?id=1423002
_______________________________________________
maintainers mailing list
[email protected]
http://lists.gluster.org/mailman/listinfo/maintainers
