On Tuesday, 29 May 2018 10:39 Richard Brown wrote:
On 29 May 2018 at 08:36, Michal Kubecek
wrote: Embargoed security bugs are actually not that much of a problem. As security bugs are public by default, even embargoed ones are bound to become public eventually so that involved people (should) keep that in mind from the start and (should) think about which comment or attachment should be private and which not.
Well yes, not a problem from your perspective, but from a non-suse contributors perspective there is no way of knowing that a private bug is private because its a security bug or a normal product bug
Security bugs are public by default. The only exception should be embargoed ones but those are only private until the embargo is lifted - and before that they shouldn't be referenced anywhere in public (not even in OBS). In theory, it might be possible to have updated packages released before security team clears the flag in bugzilla but it's very unlikely. Michal Kubecek -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org