[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Proper security-related issue handling on bugs.kde.org
From:       Richard Hartmann <richih.mailinglist () gmail ! com>
Date:       2010-05-14 8:39:05
Message-ID: AANLkTinKqW109b0A9Uwpk3clexgawpITNpw5gkHfer4d () mail ! gmail ! com
[Download RAW message or body]

-=PLEASE KEEP ME CC'ed ON THIS THREAD=-


Hi all,

as per security policy[1], the only way to handle security-related
issues to send email to security@kde.org . The reasoning behind this
is, of course, that these issues should be handled quietly.

Yet, when an issue is already on bugs.kde.org , there is not readily
apparent way of making the security team aware of this issue. Obviously,
one can simply CC this list which I just did for [2] and [3], but I
would argue that this is not intuitive at all.
At the least, I would suggest that [4] is updated to mention security
for Major or Critical.
Ideally, there would be an extra severity and/or an extra field to
mark security-related issues as such.


Thanks,
Richard

PS: As a reminder, please keep me CC'ed. I would really like to follow
this discussion. Alternatively, keep this discussion to kde-devel, not
security@. I am cross-posting because I really don't know where to send
this.


[1] http://kde.org/info/security/policy.php
[2] https://bugs.kde.org/show_bug.cgi?id=171608
[3] https://bugs.kde.org/show_bug.cgi?id=233104
[4] https://bugs.kde.org/page.cgi?id=fields.html#bug_severity
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]