Tomáš Chvátal wrote:
Just informational mail that we plan to enable bnc# checking in the changelogs to ensure that Factory submissions are in fact only listing visible bugs. [1] [2]
Since I was the one asking for that feature but unfortunately was on vacation when the first implementation was proposed. So let me respond to a few concerns brought up in this thread. - There is no security background on this request. It's just for the sake of allowing people to check the reason of changes, allow them to comment on them in the right place and potentially also allow them to re-open the bug if needed. It's a PITA having to ask people via side channels to open bug reports and then wait days to get a reaction. Anyone who was in the situation of having to deal with e.g. Legal bugs assigned to others knows how it interrupts your workflow and how bad it feels. - Legal bugs not being public is for legacy reasons and the way bugzilla is currently set up. I've been talking to people about getting openSUSE legal bugs public by default. There seems to be an agreement and a way to achieve that. Implementation pending. - It is true that the initial description of bugs cannot be modified. So if you accidentally pasted stuff there that shouldn't be public you have to mark it private and provide a better summary in another comment as workaround. That is a limitation of our bugzilla instance and could be fixed. - Security bugs are not public only when there is an embargo. During that period there are no requests that concern factory-auto. When a security issue becomes public the SUSE Security Team makes the bug public. The security team files bugs already having in mind that the bug will have to be made public at some point exactly because of the aforementioned limitation. Any really sensitive information is kept private of course. Bug comments and attachments are reviewed before actually opening up a bug. Err on the safe side. I've been doing that myself for years, it's not a big deal and worth the extra effort to make the work more transparent. - If it's technically not possible to make SLE bugs public because the check box is missing then this this can be fixed by changing the product configuration in bugzilla. Wrt sensitive information in there the same process as security follows for years already can be applied. It's just a matter of willingness to do that. - Wrt the implementation I agree that the checker should only look at the diff and not require changing legacy bugs. - A rejection by factory-auto is not an ultimate failure. If the submission got rejected because of a non-public bug you are free to re-open the request. If the reviewers are fine that, fine. Still maybe that little extra step helps to raise awareness and reduce the number of actually needlessly private bug reports. - obviously other distros aren't perfect either. That doesn't mean we should use that as excuse for not improving ourselves. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org