Mailinglist Archive: opensuse-factory (536 mails)

< Previous Next >
Re: [opensuse-factory] Opening private bugs
On 30/05/18 12:58, Carlos E. R. wrote:
On 2018-05-30 04:24, Basil Chupin wrote:
On 30/05/18 02:18, Stefan Seyfried wrote:
Am 29.05.2018 um 16:13 schrieb Anton Aylward:
On 29/05/18 04:05 AM, Simon Lees wrote:
I can see that there is customer info that must remain private.
I, too, an a 'customer' for various entities and I have to supply
them with with
information such as credit card numbers.

But let's face reality.
[snip]
But I don't see how a bug in FOSS software is in that category.
I don't see that the fact that Company X uses a specific application
made of
FOSS software is "private customer information".
This information is really mostly harmless.
But when I report a bug at work, I add
* log files (host names, IP addresses)
* config files (host names, IP addresses, config options, security
settings, ...)
* a detailed description of our specific setup (in the "how to
reproduce" section)
* a detailed description of the system tuning, make and model of the
used hardware, ...
* crashdumps (unlikely to end up in bugzilla due to their sheer size,
but maybe parts of them from the debugger tool output)

This is probably not only data of the company I work for, but also from
our customers.

This all is clearly confidential, as it would for example be interesting
for attackers trying to sneak into our network, or for competitors.

Because of this, SUSE had to sign a NDA with us for us to even consider
buying subscriptions / support, and my employer would surely sue the
hell out of SUSE, Microfocus, whoever if this would not be respected.
I think this is the same with most other customers.
And yet you just said that the info. you provide SUSE in a bug report
may contain customer information... Ouch!
Obviously.

It is very difficult to sanitize a log from all such delicate
information, and in doing so, you might modify unknowingly information
that is crucial for diagnosing the bug.

Marking bugs private is a need. For instance, yesterday I submitted an
entire virtual machine dump in an effort to help reproduce a problem in
a bugzilla. I do not wish the entire internet to have access to it,
would you?

Yet, if a solution is found for the bug, it has to be published. But not
my virtual machine.

Suppose an investigation of a mail problem. You submit the mail logs -
which has the mail addresses of internal and external contacts, and
perhaps passwords! Yes, you can sanitize them, but this is excruciating
job and the resulting obfuscation might forget things, or impede the bug
diagnosis.

So SUSE needs the whole logs, and has to keep them secret. I would think
that perhaps they be erased after the investigation.

It is a difficult problem. SUSE, and sometimes openSUSE, needs to be
able to mark some information private, simple as that.

Carlos, you are missing the point of my comment.

BC

--
"..The times have been
That, when the brains were out,
the man would die,.."
"Macbeth", Shakespeare

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >