[mapserver-dev] "Security/Vulnerability (Private)" tickets are not private

Lime, Steve D (MNIT) Steve.Lime at state.mn.us
Tue Nov 12 12:24:20 PST 2013

Doesn't sound like we could turn on Trac for just this purpose. I kinda like the idea of private mailing list (mapserver-security) paired with whatever tracking makes sense for the issue at hand.


-----Original Message-----
From: mapserver-dev-bounces at lists.osgeo.org [mailto:mapserver-dev-bounces at lists.osgeo.org] On Behalf Of thomas bonfort
Sent: Tuesday, November 12, 2013 2:03 PM
To: Even Rouault
Cc: MapServer Dev Mailing List
Subject: Re: [mapserver-dev] "Security/Vulnerability (Private)" tickets are not private

Sorry Even, your email slipped past with the weekend.
That label was automatically imported with the trac migration, and is effectively useless as github doesn't have private issues. The trac instance is set to read-only, however opening it back up might probably be a source of confusion if there are two distinct issue trackers.  I'm open as to how we should treat those: a private psc/security mailing list, a shared googledoc, others?


On 12 November 2013 20:55, Even Rouault <even.rouault at mines-paris.org> wrote:
> Anyone to comment on this ? This wasn't just a purely theoretical 
> question. I have actually something to report.
>> Hi,
>> The label "Security/Vulnerability (Private)" in github doesn't result 
>> in tickets that are only visible by the reporter or the security 
>> team. The tickets just seem to be world visible. See the following dummy ticket :
>> https://github.com/mapserver/mapserver/issues/4806
>> I'm not sure if it can be solved. If not, we should probably remove 
>> that label and edit http://www.mapserver.org/development/bugs.html to 
>> have a more appropriate procedure.
>> It used to work with Trac if I remember well. Should we re-enable 
>> Trac tickets just for security related tickets ?
>> Even
> --
> Geospatial professional services
> http://even.rouault.free.fr/services.html
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
mapserver-dev mailing list
mapserver-dev at lists.osgeo.org

More information about the mapserver-dev mailing list