Tue, 29 May 2007
Closed Development
Today, my mutt has crashed when
reading a particular spam message. I have looked into this problem,
and discovered that mutt crashes only on our
RHEL4 system (which has
mutt-1.4.1-12.el4), and not on
Fedora systems
(mutt-1.4.2.2-5.fc6).
Report nothing, expect nothing. So I have looked up mutt bug
reports in Red Hat Bugzilla.
I have not found anything related, so I have
filled
a new bug. I have suspected that the problem has been fixed upstream,
so I have ran diff(1) of the RHEL4 source and Fedora source.
And indeed, the difference in handler.c was exactly
the fix
for this bug.
Further communication with Red Hat people discovered that the same bug has already been reported for Fedora Core almost two years ago! I have not found it earlier, because it was marked as "security sensitive", and thus not public.
I think those "private bugs" in Red Hat Bugzilla are severely flawed. I can
understand that they need to keep some reports private for a few days,
for example to be in sync with other vendors from vendor-sec.
But keeping a two years old closed bug private lacks any sense.
I think they should change their policy for private bugs so that
the "private" flag would be strictly time-limited (say to one month).
When longer privacy is needed, it could be explicitly prolonged.
And, of course, no "private" flag on closed bugs.
The same problem is with security update notifications which some Linux vendors (like Red Hat or SUSE) send: they usually refer to the Common Vulnerabilities and Exposures name of the bug fixed, but by the time I get the notification and want to check in the CVE database whether the systems from other vendors are affected as well, CVE still lists the vulnerability as private, with no details available. Talk about making the life of their customers easier :-(