On 29 May 2018 at 08:36, Michal Kubecek
It's not only logs, these bugs often contain data files needed to reproduce the issue or packet captures; those would be really hard to sanitize. Not to mention that any sanitization (or rather obfuscation) may hide important information. Any comment can casually mention something about network topology, equipment used etc. Actually, even company name can be a problem - and it's really hard to keep using "customer" everywhere rather than simply the name.
Yup, true
And then there are security incidents under embargo, which obviously are private and have to remain so until the embargo is lifted. These are so private that most SUSE employees can't even see them.
Embargoed security bugs are actually not that much of a problem. As security bugs are public by default, even embargoed ones are bound to become public eventually so that involved people (should) keep that in mind from the start and (should) think about which comment or attachment should be private and which not.
Well yes, not a problem from your perspective, but from a non-suse contributors perspective there is no way of knowing that a private bug is private because its a security bug or a normal product bug I expect a fair bit of the bugshares team responses to be "its a security bug, please be patient, it will be public when it can be"
"Normal" bugs, e.g. those coming from L3 process, are worse in this regard. People know these are not public by definition and often don't care to distinguish which comments are strictly internal and which not. Worse, they often mix internal process information with technical discussion in the same comment. It is hard enough to review 100 comments when we want to add customer/partner developers to Cc at some point; reviewing them to allow making the bug public can be a nightmare.
Absolutely, and thanks for bringing that up. it does a good job of highlighting just how tricky the work is the bugshare team have volunteered for Regards, -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org