Mailinglist Archive: opensuse-factory (536 mails)

< Previous Next >
Re: [opensuse-factory] Opening private bugs
  • From: "Sarah Julia Kriesch" <ada.lovelace@xxxxxx>
  • Date: Wed, 30 May 2018 10:11:15 +0200
  • Message-id: <trinity-7ec73ca8-263c-4dca-b6c5-753610da4adc-1527667875085@3c-app-gmx-bs63>

Gesendet: Mittwoch, 30. Mai 2018 um 04:58 Uhr
Von: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
An: opensuse-factory@xxxxxxxxxxxx
Betreff: Re: [opensuse-factory] Opening private bugs

On 2018-05-30 04:24, Basil Chupin wrote:
On 30/05/18 02:18, Stefan Seyfried wrote:
Am 29.05.2018 um 16:13 schrieb Anton Aylward:
On 29/05/18 04:05 AM, Simon Lees wrote:
I can see that there is customer info that must remain private.
I, too, an a 'customer' for various entities and I have to supply
them with with
information such as credit card numbers.

But let's face reality.
But I don't see how a bug in FOSS software is in that category.
I don't see that the fact that Company X uses a specific application
made of
FOSS software is "private customer information".
This information is really mostly harmless.
But when I report a bug at work, I add
* log files (host names, IP addresses)
* config files (host names, IP addresses, config options, security
settings, ...)
* a detailed description of our specific setup (in the "how to
reproduce" section)
* a detailed description of the system tuning, make and model of the
used hardware, ...
* crashdumps (unlikely to end up in bugzilla due to their sheer size,
but maybe parts of them from the debugger tool output)

This is probably not only data of the company I work for, but also from
our customers.

This all is clearly confidential, as it would for example be interesting
for attackers trying to sneak into our network, or for competitors.

Because of this, SUSE had to sign a NDA with us for us to even consider
buying subscriptions / support, and my employer would surely sue the
hell out of SUSE, Microfocus, whoever if this would not be respected.
I think this is the same with most other customers.

And yet you just said that the info. you provide SUSE in a bug report
may contain customer information... Ouch!


It is very difficult to sanitize a log from all such delicate
information, and in doing so, you might modify unknowingly information
that is crucial for diagnosing the bug.

Marking bugs private is a need. For instance, yesterday I submitted an
entire virtual machine dump in an effort to help reproduce a problem in
a bugzilla. I do not wish the entire internet to have access to it,
would you?

Yet, if a solution is found for the bug, it has to be published. But not
my virtual machine.

Suppose an investigation of a mail problem. You submit the mail logs -
which has the mail addresses of internal and external contacts, and
perhaps passwords! Yes, you can sanitize them, but this is excruciating
job and the resulting obfuscation might forget things, or impede the bug

So SUSE needs the whole logs, and has to keep them secret. I would think
that perhaps they be erased after the investigation.

It is a difficult problem. SUSE, and sometimes openSUSE, needs to be
able to mark some information private, simple as that.

That's a topic for group security in Bugzilla.
I know from other issue trackers, that it is possible, that attachments are
only readable/ to download from a specific group in the project.
So we can create groups like SUSE and openSUSE.
We should try that with Bugzilla [1].
I would be surprised, if it isn't possible to have security rules for
So customer data can be safe.

Best regards,

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups