You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by Pedro Giffuni <pf...@apache.org> on 2016/09/16 15:41:26 UTC
Access denied on bugzilla ...
FWIW ...
I just tried to access BZ 127117, which I created in the first place, and now I got
"You are not authorized to access issue #127117."
It is only a very minor update to openssl, and I wanted to submit the patch to do it.(AOO bugzilla and I have never been in a good relationship).
While here I shall explain the intent of the two recent requests: it is clear that we won't release soon updated, and hopefully secure, versions of some very basic support libraries/utilities. At least doing some minor low-hanging-fruit updates should save some pain to our users and some embarrassment to the project. The changes are very conservative and have been tested for a while in trunk but are superseded by the versions in trunk.
I will let the RM and the security team determine if they are worth it.
Regards,
Pedro.
Re: Access denied on bugzilla ...
Posted by Marcus <ma...@wtnet.de>.
Dennis was faster and fixed this in the meantime.
Marcus
Am 09/16/2016 05:41 PM, schrieb Pedro Giffuni:
> FWIW ...
> I just tried to access BZ 127117, which I created in the first place, and now I got
> "You are not authorized to access issue #127117."
> It is only a very minor update to openssl, and I wanted to submit the patch to do it.(AOO bugzilla and I have never been in a good relationship).
> While here I shall explain the intent of the two recent requests: it is clear that we won't release soon updated, and hopefully secure, versions of some very basic support libraries/utilities. At least doing some minor low-hanging-fruit updates should save some pain to our users and some embarrassment to the project. The changes are very conservative and have been tested for a while in trunk but are superseded by the versions in trunk.
> I will let the RM and the security team determine if they are worth it.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Access denied on bugzilla ...
Posted by Marcus <ma...@wtnet.de>.
Am 09/16/2016 07:29 PM, schrieb Dennis E. Hamilton:
> Oh, OK. It was the general | security category that did that then.
>
> I think those *should* go to the security team and be made private automatically, just in case someone is inadvertently providing sensitive information that should be treated in confidence.
>
> Then when the issue is seen by the Security Team, we can decide whether to change its classification, as I just did with Issue 127117.
>
> I see that the explanation in the Bugzilla help for the general category is clear. And we should continue to keep those automatically private until reviewed.
>
> Removing general | security seems like a bad idea. We just have to ensure it is used properly by providing the safeguard that's there now.
>
> Does that work?
I've looked in BZ and it's not possible to change only 1 component of a
product in a way that issues for this component are visible only for the
sec team. This has to be done for the complete product.
We could create a product that is visible for the sec team only. But
that would mean that issue creation is possible for everyone but
accessing them again in the next second in only possbile for the sec
team. This also won't improve the situation.
So, I think we cannot do much to avoid further confusion in the future
Marcus
>> -----Original Message-----
>> From: Marcus [mailto:marcus.mail@wtnet.de]
>> Sent: Friday, September 16, 2016 09:52
>> To: dev@openoffice.apache.org
>> Subject: Re: Access denied on bugzilla ...
>>
>> Dennis, please have a look into the history of the issue [1]. Here you
>> can see that *Pedro has not* set the assignee. The reason is the BZ
>> setting of the "security" component he has chosen at issue creation. So,
>> it's not wrong that the issue was send to the security team.
>>
>> We should think about not rooting these kind of issues to the security
>> team.
>>
>> [1] https://bz.apache.org/ooo/show_activity.cgi?id=127117
>>
>> Marcus
>>
>>
>>
>> Am 09/16/2016 06:43 PM, schrieb Dennis E. Hamilton:
>>> Pedro,
>>>
>>> When you assign an issue to security@openoffice.apache.org, it becomes
>> invisible to all but the security team.
>>>
>>> Since this is not about a vulnerability, I will change the issue to
>> the default assignment.
>>>
>>> Please do not assign issues to others. If you want to assign it to
>> yourself, that is fine. Otherwise use the default assignment.
>>>
>>> If you are ever dealing with an exploitable vulnerability, do not use
>> bugzilla. Communicate with the security@ mailing list directly.
>>>
>>> - Dennis
>>>
>>>
>>>> -----Original Message-----
>>>> From: Pedro Giffuni [mailto:pfg@apache.org]
>>>> Sent: Friday, September 16, 2016 08:41
>>>> To: OOo Apache<de...@openoffice.apache.org>
>>>> Subject: Access denied on bugzilla ...
>>>>
>>>> FWIW ...
>>>> I just tried to access BZ 127117, which I created in the first place,
>>>> and now I got
>>>> "You are not authorized to access issue #127117."
>>>> It is only a very minor update to openssl, and I wanted to submit the
>>>> patch to do it.(AOO bugzilla and I have never been in a good
>>>> relationship).
>>>> While here I shall explain the intent of the two recent requests: it
>> is
>>>> clear that we won't release soon updated, and hopefully secure,
>> versions
>>>> of some very basic support libraries/utilities. At least doing some
>>>> minor low-hanging-fruit updates should save some pain to our users
>> and
>>>> some embarrassment to the project. The changes are very conservative
>> and
>>>> have been tested for a while in trunk but are superseded by the
>> versions
>>>> in trunk.
>>>> I will let the RM and the security team determine if they are worth
>> it.
>>>> Regards,
>>>> Pedro.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
RE: Access denied on bugzilla ...
Posted by "Dennis E. Hamilton" <de...@acm.org>.
Oh, OK. It was the general | security category that did that then.
I think those *should* go to the security team and be made private automatically, just in case someone is inadvertently providing sensitive information that should be treated in confidence.
Then when the issue is seen by the Security Team, we can decide whether to change its classification, as I just did with Issue 127117.
I see that the explanation in the Bugzilla help for the general category is clear. And we should continue to keep those automatically private until reviewed.
Removing general | security seems like a bad idea. We just have to ensure it is used properly by providing the safeguard that's there now.
Does that work?
- Dennis
> -----Original Message-----
> From: Marcus [mailto:marcus.mail@wtnet.de]
> Sent: Friday, September 16, 2016 09:52
> To: dev@openoffice.apache.org
> Subject: Re: Access denied on bugzilla ...
>
> Dennis, please have a look into the history of the issue [1]. Here you
> can see that *Pedro has not* set the assignee. The reason is the BZ
> setting of the "security" component he has chosen at issue creation. So,
> it's not wrong that the issue was send to the security team.
>
> We should think about not rooting these kind of issues to the security
> team.
>
> [1] https://bz.apache.org/ooo/show_activity.cgi?id=127117
>
> Marcus
>
>
>
> Am 09/16/2016 06:43 PM, schrieb Dennis E. Hamilton:
> > Pedro,
> >
> > When you assign an issue to security@openoffice.apache.org, it becomes
> invisible to all but the security team.
> >
> > Since this is not about a vulnerability, I will change the issue to
> the default assignment.
> >
> > Please do not assign issues to others. If you want to assign it to
> yourself, that is fine. Otherwise use the default assignment.
> >
> > If you are ever dealing with an exploitable vulnerability, do not use
> bugzilla. Communicate with the security@ mailing list directly.
> >
> > - Dennis
> >
> >
> >> -----Original Message-----
> >> From: Pedro Giffuni [mailto:pfg@apache.org]
> >> Sent: Friday, September 16, 2016 08:41
> >> To: OOo Apache<de...@openoffice.apache.org>
> >> Subject: Access denied on bugzilla ...
> >>
> >> FWIW ...
> >> I just tried to access BZ 127117, which I created in the first place,
> >> and now I got
> >> "You are not authorized to access issue #127117."
> >> It is only a very minor update to openssl, and I wanted to submit the
> >> patch to do it.(AOO bugzilla and I have never been in a good
> >> relationship).
> >> While here I shall explain the intent of the two recent requests: it
> is
> >> clear that we won't release soon updated, and hopefully secure,
> versions
> >> of some very basic support libraries/utilities. At least doing some
> >> minor low-hanging-fruit updates should save some pain to our users
> and
> >> some embarrassment to the project. The changes are very conservative
> and
> >> have been tested for a while in trunk but are superseded by the
> versions
> >> in trunk.
> >> I will let the RM and the security team determine if they are worth
> it.
> >> Regards,
> >> Pedro.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: dev-help@openoffice.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Access denied on bugzilla ...
Posted by Marcus <ma...@wtnet.de>.
Dennis, please have a look into the history of the issue [1]. Here you
can see that *Pedro has not* set the assignee. The reason is the BZ
setting of the "security" component he has chosen at issue creation. So,
it's not wrong that the issue was send to the security team.
We should think about not rooting these kind of issues to the security team.
[1] https://bz.apache.org/ooo/show_activity.cgi?id=127117
Marcus
Am 09/16/2016 06:43 PM, schrieb Dennis E. Hamilton:
> Pedro,
>
> When you assign an issue to security@openoffice.apache.org, it becomes invisible to all but the security team.
>
> Since this is not about a vulnerability, I will change the issue to the default assignment.
>
> Please do not assign issues to others. If you want to assign it to yourself, that is fine. Otherwise use the default assignment.
>
> If you are ever dealing with an exploitable vulnerability, do not use bugzilla. Communicate with the security@ mailing list directly.
>
> - Dennis
>
>
>> -----Original Message-----
>> From: Pedro Giffuni [mailto:pfg@apache.org]
>> Sent: Friday, September 16, 2016 08:41
>> To: OOo Apache<de...@openoffice.apache.org>
>> Subject: Access denied on bugzilla ...
>>
>> FWIW ...
>> I just tried to access BZ 127117, which I created in the first place,
>> and now I got
>> "You are not authorized to access issue #127117."
>> It is only a very minor update to openssl, and I wanted to submit the
>> patch to do it.(AOO bugzilla and I have never been in a good
>> relationship).
>> While here I shall explain the intent of the two recent requests: it is
>> clear that we won't release soon updated, and hopefully secure, versions
>> of some very basic support libraries/utilities. At least doing some
>> minor low-hanging-fruit updates should save some pain to our users and
>> some embarrassment to the project. The changes are very conservative and
>> have been tested for a while in trunk but are superseded by the versions
>> in trunk.
>> I will let the RM and the security team determine if they are worth it.
>> Regards,
>> Pedro.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
RE: Access denied on bugzilla ...
Posted by "Dennis E. Hamilton" <de...@acm.org>.
Pedro,
When you assign an issue to security@openoffice.apache.org, it becomes invisible to all but the security team.
Since this is not about a vulnerability, I will change the issue to the default assignment.
Please do not assign issues to others. If you want to assign it to yourself, that is fine. Otherwise use the default assignment.
If you are ever dealing with an exploitable vulnerability, do not use bugzilla. Communicate with the security@ mailing list directly.
- Dennis
> -----Original Message-----
> From: Pedro Giffuni [mailto:pfg@apache.org]
> Sent: Friday, September 16, 2016 08:41
> To: OOo Apache <de...@openoffice.apache.org>
> Subject: Access denied on bugzilla ...
>
> FWIW ...
> I just tried to access BZ 127117, which I created in the first place,
> and now I got
> "You are not authorized to access issue #127117."
> It is only a very minor update to openssl, and I wanted to submit the
> patch to do it.(AOO bugzilla and I have never been in a good
> relationship).
> While here I shall explain the intent of the two recent requests: it is
> clear that we won't release soon updated, and hopefully secure, versions
> of some very basic support libraries/utilities. At least doing some
> minor low-hanging-fruit updates should save some pain to our users and
> some embarrassment to the project. The changes are very conservative and
> have been tested for a while in trunk but are superseded by the versions
> in trunk.
> I will let the RM and the security team determine if they are worth it.
> Regards,
> Pedro.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org