Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
On 12-11-30 06:46 PM, Brian Paul wrote: On 11/30/2012 01:16 PM, Benoit Jacob wrote: On 12-11-30 12:13 PM, Jerome Glisse wrote: On Fri, Nov 30, 2012 at 7:43 AM, Benoit Jacobbja...@mozilla.com wrote: On 12-11-23 02:21 PM, Benoit Jacob wrote: On 12-11-21 12:48 PM, Chad Versace wrote: On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. Thanks. I have just sent the request to FD.o admins. Benoit This option is now turned on on Bugzilla. See the new checkbox: Mesa Security Group Thanks! Benoit How does one get into the security group ? Don't ask me --- obviously I amn't part of it. I suppose you should have that conversation among core Mesa developers and FD.o admins. It sounds like we want to have a mesa-security mailing list to receive the bugzilla messages for the hidden/security bugs. Whoever's on that list should have access to the bugs. I'm not sure what the fd.o admins need to set that up. Benoit, did you create a bugzilla request for a mesa-security list? If not, would you mind doing that? Done: https://bugs.freedesktop.org/show_bug.cgi?id=57752 Benoit -Brian ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
On 11/30/2012 01:16 PM, Benoit Jacob wrote: On 12-11-30 12:13 PM, Jerome Glisse wrote: On Fri, Nov 30, 2012 at 7:43 AM, Benoit Jacobbja...@mozilla.com wrote: On 12-11-23 02:21 PM, Benoit Jacob wrote: On 12-11-21 12:48 PM, Chad Versace wrote: On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. Thanks. I have just sent the request to FD.o admins. Benoit This option is now turned on on Bugzilla. See the new checkbox: Mesa Security Group Thanks! Benoit How does one get into the security group ? Don't ask me --- obviously I amn't part of it. I suppose you should have that conversation among core Mesa developers and FD.o admins. It sounds like we want to have a mesa-security mailing list to receive the bugzilla messages for the hidden/security bugs. Whoever's on that list should have access to the bugs. I'm not sure what the fd.o admins need to set that up. Benoit, did you create a bugzilla request for a mesa-security list? If not, would you mind doing that? -Brian ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
On 12-11-23 02:21 PM, Benoit Jacob wrote: On 12-11-21 12:48 PM, Chad Versace wrote: On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. Thanks. I have just sent the request to FD.o admins. Benoit This option is now turned on on Bugzilla. See the new checkbox: Mesa Security Group Thanks! Benoit ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
I can see that the security test bug is assigned to mesa-dev by default, so all comments go to the mailing list. I don't thínk that's desirable. Marek On Fri, Nov 30, 2012 at 1:43 PM, Benoit Jacob bja...@mozilla.com wrote: On 12-11-23 02:21 PM, Benoit Jacob wrote: On 12-11-21 12:48 PM, Chad Versace wrote: On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. Thanks. I have just sent the request to FD.o admins. Benoit This option is now turned on on Bugzilla. See the new checkbox: Mesa Security Group Thanks! Benoit ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
Aaargh On 12-11-30 07:55 AM, Marek Olšák wrote: I can see that the security test bug is assigned to mesa-dev by default, so all comments go to the mailing list. I don't thínk that's desirable. Marek On Fri, Nov 30, 2012 at 1:43 PM, Benoit Jacob bja...@mozilla.com wrote: On 12-11-23 02:21 PM, Benoit Jacob wrote: On 12-11-21 12:48 PM, Chad Versace wrote: On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. Thanks. I have just sent the request to FD.o admins. Benoit This option is now turned on on Bugzilla. See the new checkbox: Mesa Security Group Thanks! Benoit ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
On Fri, Nov 30, 2012 at 7:43 AM, Benoit Jacob bja...@mozilla.com wrote: On 12-11-23 02:21 PM, Benoit Jacob wrote: On 12-11-21 12:48 PM, Chad Versace wrote: On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. Thanks. I have just sent the request to FD.o admins. Benoit This option is now turned on on Bugzilla. See the new checkbox: Mesa Security Group Thanks! Benoit How does one get into the security group ? Cheers, Jerome ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
On 12-11-30 12:13 PM, Jerome Glisse wrote: On Fri, Nov 30, 2012 at 7:43 AM, Benoit Jacob bja...@mozilla.com wrote: On 12-11-23 02:21 PM, Benoit Jacob wrote: On 12-11-21 12:48 PM, Chad Versace wrote: On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. Thanks. I have just sent the request to FD.o admins. Benoit This option is now turned on on Bugzilla. See the new checkbox: Mesa Security Group Thanks! Benoit How does one get into the security group ? Don't ask me --- obviously I amn't part of it. I suppose you should have that conversation among core Mesa developers and FD.o admins. Benoit Cheers, Jerome ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
On 12-11-21 12:48 PM, Chad Versace wrote: On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. Thanks. I have just sent the request to FD.o admins. Benoit ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
On 11/20/2012 09:29 AM, Benoit Jacob wrote: Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit I support this. It seems a sensible proposal for addressing security bugs. ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
[Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
List, I was told to send this to freedesktop.org admins, but as I fully expect that this will be controversial among some Mesa developers, I thought that I would write to this list first and check that there is enough agreement here. WebGL-enabled browsers have faced security bugs in all drivers --- Mesa is not special in this respect. When that happens, we need to have conversations with the driver developers, not only to get the bugs fixed in future driver versions, but also to get the insight that we need in the short term to assess the security implications of the bug, develop mitigations, and decide whether the affected driver needs to be blacklisted. Discussions of security-sensitive bugs need to be private. I understand that this is a controversial statement in many F/OSS communities, but it is how all browser projects, including Mozilla and Chromium, work, and that part has to be accepted as an axiom in the present discussion. Given that, what has happened is that when browser developers (Mozilla and Chromium at least) identified security bugs in Mesa, as Mesa's bugzilla does not currently have the option to hide security bugs, we had to resort to * either using private e-mail * or CCing Mesa developers on our own secure bugs Both solutions are poor, and a better solution would be for Mesa's bugzilla to allow hidden security bugs so we could work there. Given that security bug discussion can't be open, that is the least bad solution possible. Any questions? Do you support or oppose me asking FD.o admins to allow hidden bugs on Mesa's bugzilla? Benoit ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
Re: [Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla
On 11/20/12 09:29 AM, Benoit Jacob wrote: Both solutions are poor, and a better solution would be for Mesa's bugzilla to allow hidden security bugs so we could work there. Given that security bug discussion can't be open, that is the least bad solution possible. For what it's worth, Mesa wouldn't be the first project on the freedesktop bugzilla to enable this - security bugs filed against X.Org software are kept private to the X.Org security team until we publish our advisory. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ mesa-dev mailing list mesa-dev@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/mesa-dev
