Em Sexta-feira 24 Setembro 2010, às 16:57:57, Andre Klapper escreveu: > Instead of having two bugtrackers a saner way is to restrict access in > bugs.meego.com to attachments when being attached in case they contain > sensitive information (however the developer has to find out somehow), > and to investigate how to keep information about potential new hardware > secret (=only accessible to a few people) too, e.g. by making certain > fields only visible/accessible to members of certain groups. [snip] > The question is if Nokia wants to do that, as I haven't seen any > attempts so far to upstream internal Nokia Bugzilla changes (the last > and only commit from a @nokia.com address according to bzr log was "fix > perl warnings under 5.6.0" from 2001, but maybe Nokia employees just > don't like using their @nokia.com addresses).
Sorry, sensitive information in a non-firewalled server or worse in a 3rd-party hosted server, even if protected by access lists, is not acceptable. We've been through this with our legal dept. and we simply cannot do it. The only solution currently available to us is to run two servers, one for the public info and one containing the sensitive info. We need to teach people to dissect any sensitive testcases into public-info testcases and post to public bug-trackers. If sensitive information is required to understand the bug, then a follow-up report in the internal, secure tracker is necessary. That's the set up we have for Qt (http://bugreports.qt.nokia.com and the internal JIRA server) and we try enforce the rule by seldom triaging the reports in the internal server. If internal Nokia teams want to get our attention, they have to post to the public tracker. This doesn't work 100%. Every 2 weeks or so, someone leaks a codename or a product model that they shouldn't, which prompts the sysadmins to modify the database and remove the info. And we keep getting escalations by email that the reports on the internal server aren't deal with. -- Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org Senior Product Manager - Nokia, Qt Development Frameworks PGP/GPG: 0x6EF45358; fingerprint: E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358 Qt Developer Days 2010 - Munich Oct 11-13 - San Francisco Nov 1-3 For more information and to register: http://qt.nokia.com/qtdevdays2010
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev
