Hello, On 2022-04-21 11:00, Simon Lees wrote:
On 4/21/22 17:40, Johannes Meixner wrote:
On 2022-04-21 10:03, Marcus Meissner wrote:
On Thu, Apr 21, 2022, Johannes Meixner wrote: ...
So a valid RPM changelog entry could be something like ---------------------------------------------------------- - Security fix for ... CVE-1234-56789 (bsc#98765432) ---------------------------------------------------------- where CVE-1234-56789 is public accessible but bsc#98765432 is a SUSE internal bug. ... if a bug is from a customer making it public is hard due to the usual confidentiality / data protection rules.
that's what I meant with "bsc#98765432" in my example. I.e. when a customer reported a security issue we won't make his bug report public to not give foreigners any hint about his environment.
Security bugs are not the issue here, the security team does a really good job of making sure all security bugs end up public. The issue here is when a customer creates an L3 bug report, often there is customer info in places where we simply can't hide and our current policy is not to make a second "public" version of the ticket.
Ah! So what happens when a customer reported a security issue as L3 bug report with customer internal info as usual? Then the security team does a really good job of making sure that L3 bug report ends up public? Likely it is too risky and too complicated to hide all bug entries that contain customer internal info from the public. So I guess a separated security bug report may be created together with a public new CVE issue. Then the RPM changelog entry could be something like ---------------------------------------------------------- - Security fix for ... CVE-1234-56789 (boo#789 bsc#456) ---------------------------------------------------------- where boo#789 is the public openSUSE security bug report and bsc#456 is the SUSE internal L3 bug report. The initial proposal wants that bsc#456 is public and my argument was that this is not possible. I wonder why we are now talking about details (triggered by my simple initial offhanded example) how and when which kind of SUSE internal things (there are also other SUSE internal things that are no SUSE bugzilla issues) are made public under which specific circumstances and who does what really good job instead of discussing the initial proposal? Kind Regards Johannes Meixner -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 - 90409 Nuernberg - Germany (HRB 36809, AG Nuernberg) GF: Ivo Totev