30 May
2018
30 May
'18
03:46
On 30/05/18 12:58, Carlos E. R. wrote: > On 2018-05-30 04:24, Basil Chupin wrote: >> On 30/05/18 02:18, Stefan Seyfried wrote: >>> Am 29.05.2018 um 16:13 schrieb Anton Aylward: >>>> On 29/05/18 04:05 AM, Simon Lees wrote: >>>> I can see that there is customer info that must remain private. >>>> I, too, an a 'customer' for various entities and I have to supply >>>> them with with >>>> information such as credit card numbers. >>>> >>>> But let's face reality. >>>> [snip] >>>> But I don't see how a bug in FOSS software is in that category. >>>> I don't see that the fact that Company X uses a specific application >>>> made of >>>> FOSS software is "private customer information". >>> This information is really mostly harmless. >>> But when I report a bug at work, I add >>> * log files (host names, IP addresses) >>> * config files (host names, IP addresses, config options, security >>> settings, ...) >>> * a detailed description of our specific setup (in the "how to >>> reproduce" section) >>> * a detailed description of the system tuning, make and model of the >>> used hardware, ... >>> * crashdumps (unlikely to end up in bugzilla due to their sheer size, >>> but maybe parts of them from the debugger tool output) >>> >>> This is probably not only data of the company I work for, but also from >>> our customers. >>> >>> This all is clearly confidential, as it would for example be interesting >>> for attackers trying to sneak into our network, or for competitors. >>> >>> Because of this, SUSE had to sign a NDA with us for us to even consider >>> buying subscriptions / support, and my employer would surely sue the >>> hell out of SUSE, Microfocus, whoever if this would not be respected. >>> I think this is the same with most other customers. >> And yet you just said that the info. you provide SUSE in a bug report >> may contain customer information... Ouch! > Obviously. > > It is very difficult to sanitize a log from all such delicate > information, and in doing so, you might modify unknowingly information > that is crucial for diagnosing the bug. > > Marking bugs private is a need. For instance, yesterday I submitted an > entire virtual machine dump in an effort to help reproduce a problem in > a bugzilla. I do not wish the entire internet to have access to it, > would you? > > Yet, if a solution is found for the bug, it has to be published. But not > my virtual machine. > > Suppose an investigation of a mail problem. You submit the mail logs - > which has the mail addresses of internal and external contacts, and > perhaps passwords! Yes, you can sanitize them, but this is excruciating > job and the resulting obfuscation might forget things, or impede the bug > diagnosis. > > So SUSE needs the whole logs, and has to keep them secret. I would think > that perhaps they be erased after the investigation. > > It is a difficult problem. SUSE, and sometimes openSUSE, needs to be > able to mark some information private, simple as that. Carlos, you are missing the point of my comment. BC -- "..The times have been That, when the brains were out, the man would die,.." "Macbeth", Shakespeare -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org