Mailinglist Archive: opensuse-packaging (174 mails)

< Previous Next >
Re: [opensuse-packaging] factory-auto will start checking bnc# visibility
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Wed, 27 Nov 2013 14:41:14 +0100
  • Message-id: <5295F67A.1070200@suse.de>
Tomáš Chvátal wrote:
Just informational mail that we plan to enable bnc# checking in the changelogs
to ensure that Factory submissions are in fact only listing visible bugs. [1]
[2]

Since I was the one asking for that feature but unfortunately was on
vacation when the first implementation was proposed. So let me
respond to a few concerns brought up in this thread.

- There is no security background on this request. It's just for the
sake of allowing people to check the reason of changes, allow them
to comment on them in the right place and potentially also allow
them to re-open the bug if needed. It's a PITA having to ask
people via side channels to open bug reports and then wait days to
get a reaction. Anyone who was in the situation of having to deal
with e.g. Legal bugs assigned to others knows how it interrupts
your workflow and how bad it feels.

- Legal bugs not being public is for legacy reasons and the way
bugzilla is currently set up. I've been talking to people about
getting openSUSE legal bugs public by default. There seems to be
an agreement and a way to achieve that. Implementation pending.

- It is true that the initial description of bugs cannot be
modified. So if you accidentally pasted stuff there that shouldn't
be public you have to mark it private and provide a better summary
in another comment as workaround. That is a limitation of our
bugzilla instance and could be fixed.

- Security bugs are not public only when there is an embargo. During
that period there are no requests that concern factory-auto. When
a security issue becomes public the SUSE Security Team makes the
bug public. The security team files bugs already having in mind
that the bug will have to be made public at some point exactly
because of the aforementioned limitation. Any really sensitive
information is kept private of course. Bug comments and
attachments are reviewed before actually opening up a bug. Err on
the safe side. I've been doing that myself for years, it's not a
big deal and worth the extra effort to make the work more
transparent.

- If it's technically not possible to make SLE bugs public because
the check box is missing then this this can be fixed by changing
the product configuration in bugzilla. Wrt sensitive information
in there the same process as security follows for years already
can be applied. It's just a matter of willingness to do that.

- Wrt the implementation I agree that the checker should only look
at the diff and not require changing legacy bugs.

- A rejection by factory-auto is not an ultimate failure. If the
submission got rejected because of a non-public bug you are free
to re-open the request. If the reviewers are fine that, fine.
Still maybe that little extra step helps to raise awareness and
reduce the number of actually needlessly private bug reports.

- obviously other distros aren't perfect either. That doesn't mean we
should use that as excuse for not improving ourselves.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
16746 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References