[mapserver-dev] "Security/Vulnerability (Private)" tickets are not private

thomas bonfort thomas.bonfort at gmail.com
Tue Nov 12 12:03:14 PST 2013


Sorry Even, your email slipped past with the weekend.
That label was automatically imported with the trac migration, and is
effectively useless as github doesn't have private issues. The trac
instance is set to read-only, however opening it back up might
probably be a source of confusion if there are two distinct issue
trackers.  I'm open as to how we should treat those: a private
psc/security mailing list, a shared googledoc, others?

regards,
thomas

On 12 November 2013 20:55, Even Rouault <even.rouault at mines-paris.org> wrote:
> Anyone to comment on this ? This wasn't just a purely theoretical question. I
> have actually something to report.
>
>> Hi,
>>
>> The label "Security/Vulnerability (Private)" in github doesn't result in
>> tickets that are only visible by the reporter or the security team. The
>> tickets just seem to be world visible. See the following dummy ticket :
>> https://github.com/mapserver/mapserver/issues/4806
>>
>> I'm not sure if it can be solved. If not, we should probably remove that
>> label and edit http://www.mapserver.org/development/bugs.html to have a
>> more appropriate procedure.
>>
>> It used to work with Trac if I remember well. Should we re-enable Trac
>> tickets just for security related tickets ?
>>
>> Even
>
> --
> Geospatial professional services
> http://even.rouault.free.fr/services.html
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev


More information about the mapserver-dev mailing list