On 4/21/22 17:40, Johannes Meixner wrote:
Hello,
On 2022-04-21 10:03, Marcus Meissner wrote:
On Thu, Apr 21, 2022, Johannes Meixner wrote: ...
So a valid RPM changelog entry could be something like ---------------------------------------------------------- - Security fix for ... CVE-1234-56789 (bsc#98765432) ---------------------------------------------------------- where CVE-1234-56789 is public accessible but bsc#98765432 is a SUSE internal bug. ... if a bug is from a customer making it public is hard due to the usual confidentiality / data protection rules.
that's what I meant with "bsc#98765432" in my example. I.e. when a customer reported a security issue we won't make his bug report public to not give foreigners any hint about his environment.
Security bugs are not the issue here, the security team does a really good job of making sure all security bugs end up public. The issue here is when a customer creates an L3 bug report, often there is customer info in places where we simply can't hide and our current policy is not to make a second "public" version of the ticket. Another issue in the past was that by default all SLE beta issues were created as private which is something that is being addressed and should improve into the future. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B