Yenya's World

Tue, 29 May 2007

Closed Development

Today, my mutt has crashed when reading a particular spam message. I have looked into this problem, and discovered that mutt crashes only on our RHEL4 system (which has mutt-1.4.1-12.el4), and not on Fedora systems (mutt-

Report nothing, expect nothing. So I have looked up mutt bug reports in Red Hat Bugzilla. I have not found anything related, so I have filled a new bug. I have suspected that the problem has been fixed upstream, so I have ran diff(1) of the RHEL4 source and Fedora source. And indeed, the difference in handler.c was exactly the fix for this bug.

Further communication with Red Hat people discovered that the same bug has already been reported for Fedora Core almost two years ago! I have not found it earlier, because it was marked as "security sensitive", and thus not public.

I think those "private bugs" in Red Hat Bugzilla are severely flawed. I can understand that they need to keep some reports private for a few days, for example to be in sync with other vendors from vendor-sec. But keeping a two years old closed bug private lacks any sense. I think they should change their policy for private bugs so that the "private" flag would be strictly time-limited (say to one month). When longer privacy is needed, it could be explicitly prolonged. And, of course, no "private" flag on closed bugs.

The same problem is with security update notifications which some Linux vendors (like Red Hat or SUSE) send: they usually refer to the Common Vulnerabilities and Exposures name of the bug fixed, but by the time I get the notification and want to check in the CVE database whether the systems from other vendors are affected as well, CVE still lists the vulnerability as private, with no details available. Talk about making the life of their customers easier :-(

Section: /computers (RSS feed) | Permanent link | 3 writebacks


Yenya's World: Linux and beyond - Yenya's blog.


RSS feed

Jan "Yenya" Kasprzak

The main page of this blog



Blog roll:

alphabetically :-)