Yenya's World

Tue, 29 May 2007

Closed Development

Today, my mutt has crashed when reading a particular spam message. I have looked into this problem, and discovered that mutt crashes only on our RHEL4 system (which has mutt-1.4.1-12.el4), and not on Fedora systems (mutt-

Report nothing, expect nothing. So I have looked up mutt bug reports in Red Hat Bugzilla. I have not found anything related, so I have filled a new bug. I have suspected that the problem has been fixed upstream, so I have ran diff(1) of the RHEL4 source and Fedora source. And indeed, the difference in handler.c was exactly the fix for this bug.

Further communication with Red Hat people discovered that the same bug has already been reported for Fedora Core almost two years ago! I have not found it earlier, because it was marked as "security sensitive", and thus not public.

I think those "private bugs" in Red Hat Bugzilla are severely flawed. I can understand that they need to keep some reports private for a few days, for example to be in sync with other vendors from vendor-sec. But keeping a two years old closed bug private lacks any sense. I think they should change their policy for private bugs so that the "private" flag would be strictly time-limited (say to one month). When longer privacy is needed, it could be explicitly prolonged. And, of course, no "private" flag on closed bugs.

The same problem is with security update notifications which some Linux vendors (like Red Hat or SUSE) send: they usually refer to the Common Vulnerabilities and Exposures name of the bug fixed, but by the time I get the notification and want to check in the CVE database whether the systems from other vendors are affected as well, CVE still lists the vulnerability as private, with no details available. Talk about making the life of their customers easier :-(

Section: /computers (RSS feed) | Permanent link | 3 writebacks

3 replies for this story:

Mark Cox wrote:

Although sometimes it can take a few days for Mitre to update the details of a particular CVE on their site, you can usually get the information from the National Vulnerability Database a day or so in advance of that (

Jane Talbery wrote:

The problem is disclosing customer information so there is no way to make these bugs public. i.e. it's a legal problem.

Yenya wrote: Re: Jane Talbery

What legal problem? The private bug mentioned in my post got opened immediately after I have asked for opening it. I am not against closed bug reports per se, but I definitely am against private bugs which rot in bugzilla untouched for two years. There should be systematic precautions for preventing this (such as opening the untouched bugs after a month or so, or opening the CLOSED bugs after some time.

Reply to this story:

URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Key image: key image (valid for an hour only)
Key value: (to verify you are not a bot)


Yenya's World: Linux and beyond - Yenya's blog.


RSS feed

Jan "Yenya" Kasprzak

The main page of this blog



Blog roll:

alphabetically :-)