On Mon, Aug 1, 2011 at 6:38 AM, Andre Klapper <[email protected]> wrote: > The proper fix probably would be to not allow queries embedded in MeeGo > wiki pages to list Security tickets in Bugzilla.
That's not the proper fix. The proper fix is to either fix the API, or fix the security bug reporting process so that less critical information is exposed by the bugzilla API for security bugs. For example http://bugs.meego.com/buglist.cgi?quicksearch=NielsMayer&ctype=csv&columnlist=all will return a CSV of all my bugs and http://bugs.meego.com/buglist.cgi?quicksearch=NielsMayer&ctype=js&columnlist=all will return the same as JSON formatted data. Although not containing the contents of potential security bugs, the API will expose the title, reporter, assignee, status, etc. This is one of the many issues I had to deal with over a decade ago when I hacked together Issuezilla for collabnet, against my will, but it was an emergency, the pie-in-the-sky bugtracker wasn't ready, and openoffice.org needed to launch... our system was somewhat different as bugzilla ran inside sourcecast using its authentication system; as it was also designed for use in private extranets with two-factor auth and x509 personal certs, there was a much more sophisticated way of gating private from public issues in "Issuezilla". One of the examples I just got running for Qtzibit ( http://code.google.com/p/qtzibit ) is a mild modification of BugXhibit ( http://www.visophyte.org/blog/2009/05/28/bugxhibit-exhibit-on-bugzilla-results/ ) and makes use of the above API. Looks like: http://nielsmayer.com/meego/qml/bugxhibit.png http://nielsmayer.com/meego/qml/bugzhibit-timeline.png Feel free to try it yourself in your browser (or compile the app in qtcreator from qtzibit.pro)... the timeline sliders work pretty nicely on a touchscreen, although they can conflict with their flickable containers (thus the option of unchecking 'flickable' button in the examples). * svn checkout http://qtzibit.googlecode.com/svn/trunk/ qtzibit * firefox qtzibit/exhibit/src/webapp/examples/Bugxhibit/bugxhibit.html Or run it on your Nokia N950 or N9: * http://nielsmayer.com/meego/qml/qtzibit_0_0_3_armel.deb -- Niels http://nielsmayer.com _______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev http://wiki.meego.com/Mailing_list_guidelines
