30 May
2018
30 May
'18
08:11
> Gesendet: Mittwoch, 30. Mai 2018 um 04:58 Uhr > Von: "Carlos E. R."> An: opensuse-factory@opensuse.org > Betreff: Re: [opensuse-factory] Opening private bugs > > On 2018-05-30 04:24, Basil Chupin wrote: > > On 30/05/18 02:18, Stefan Seyfried wrote: > >> Am 29.05.2018 um 16:13 schrieb Anton Aylward: > >>> On 29/05/18 04:05 AM, Simon Lees wrote: > >>> I can see that there is customer info that must remain private. > >>> I, too, an a 'customer' for various entities and I have to supply > >>> them with with > >>> information such as credit card numbers. > >>> > >>> But let's face reality. > >>> [snip] > >>> But I don't see how a bug in FOSS software is in that category. > >>> I don't see that the fact that Company X uses a specific application > >>> made of > >>> FOSS software is "private customer information". > >> This information is really mostly harmless. > >> But when I report a bug at work, I add > >> * log files (host names, IP addresses) > >> * config files (host names, IP addresses, config options, security > >> settings, ...) > >> * a detailed description of our specific setup (in the "how to > >> reproduce" section) > >> * a detailed description of the system tuning, make and model of the > >> used hardware, ... > >> * crashdumps (unlikely to end up in bugzilla due to their sheer size, > >> but maybe parts of them from the debugger tool output) > >> > >> This is probably not only data of the company I work for, but also from > >> our customers. > >> > >> This all is clearly confidential, as it would for example be interesting > >> for attackers trying to sneak into our network, or for competitors. > >> > >> Because of this, SUSE had to sign a NDA with us for us to even consider > >> buying subscriptions / support, and my employer would surely sue the > >> hell out of SUSE, Microfocus, whoever if this would not be respected. > >> I think this is the same with most other customers. > > > > And yet you just said that the info. you provide SUSE in a bug report > > may contain customer information... Ouch! > > Obviously. > > It is very difficult to sanitize a log from all such delicate > information, and in doing so, you might modify unknowingly information > that is crucial for diagnosing the bug. > > Marking bugs private is a need. For instance, yesterday I submitted an > entire virtual machine dump in an effort to help reproduce a problem in > a bugzilla. I do not wish the entire internet to have access to it, > would you? > > Yet, if a solution is found for the bug, it has to be published. But not > my virtual machine. > > Suppose an investigation of a mail problem. You submit the mail logs - > which has the mail addresses of internal and external contacts, and > perhaps passwords! Yes, you can sanitize them, but this is excruciating > job and the resulting obfuscation might forget things, or impede the bug > diagnosis. > > So SUSE needs the whole logs, and has to keep them secret. I would think > that perhaps they be erased after the investigation. > > It is a difficult problem. SUSE, and sometimes openSUSE, needs to be > able to mark some information private, simple as that. > > -- That's a topic for group security in Bugzilla. I know from other issue trackers, that it is possible, that attachments are only readable/ to download from a specific group in the project. So we can create groups like SUSE and openSUSE. We should try that with Bugzilla [1]. I would be surprised, if it isn't possible to have security rules for attachments. So customer data can be safe. Best regards, Sarah [1] https://www.bugzilla.org/docs/4.4/en/html/parameters.html#param-group-security -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org