On 2018-05-30 04:24, Basil Chupin wrote:
On 30/05/18 02:18, Stefan Seyfried wrote:
Am 29.05.2018 um 16:13 schrieb Anton Aylward:
On 29/05/18 04:05 AM, Simon Lees wrote: I can see that there is customer info that must remain private. I, too, an a 'customer' for various entities and I have to supply them with with information such as credit card numbers.
But let's face reality. [snip] But I don't see how a bug in FOSS software is in that category. I don't see that the fact that Company X uses a specific application made of FOSS software is "private customer information". This information is really mostly harmless. But when I report a bug at work, I add
- log files (host names, IP addresses)
- config files (host names, IP addresses, config options, security settings, ...)
- a detailed description of our specific setup (in the "how to reproduce" section)
- a detailed description of the system tuning, make and model of the used hardware, ...
- crashdumps (unlikely to end up in bugzilla due to their sheer size, but maybe parts of them from the debugger tool output)
This is probably not only data of the company I work for, but also from our customers.
This all is clearly confidential, as it would for example be interesting for attackers trying to sneak into our network, or for competitors.
Because of this, SUSE had to sign a NDA with us for us to even consider buying subscriptions / support, and my employer would surely sue the hell out of SUSE, Microfocus, whoever if this would not be respected. I think this is the same with most other customers.
And yet you just said that the info. you provide SUSE in a bug report may contain customer information... Ouch!
Obviously. It is very difficult to sanitize a log from all such delicate information, and in doing so, you might modify unknowingly information that is crucial for diagnosing the bug. Marking bugs private is a need. For instance, yesterday I submitted an entire virtual machine dump in an effort to help reproduce a problem in a bugzilla. I do not wish the entire internet to have access to it, would you? Yet, if a solution is found for the bug, it has to be published. But not my virtual machine. Suppose an investigation of a mail problem. You submit the mail logs - which has the mail addresses of internal and external contacts, and perhaps passwords! Yes, you can sanitize them, but this is excruciating job and the resulting obfuscation might forget things, or impede the bug diagnosis. So SUSE needs the whole logs, and has to keep them secret. I would think that perhaps they be erased after the investigation. It is a difficult problem. SUSE, and sometimes openSUSE, needs to be able to mark some information private, simple as that. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)