Tue, 29 May 2007
Closed Development
Today, my mutt has crashed when
reading a particular spam message. I have looked into this problem,
and discovered that mutt crashes only on our
RHEL4 system (which has
mutt-1.4.1-12.el4), and not on
Fedora systems
(mutt-1.4.2.2-5.fc6).
Report nothing, expect nothing. So I have looked up mutt bug
reports in Red Hat Bugzilla.
I have not found anything related, so I have
filled
a new bug. I have suspected that the problem has been fixed upstream,
so I have ran diff(1) of the RHEL4 source and Fedora source.
And indeed, the difference in handler.c was exactly
the fix
for this bug.
Further communication with Red Hat people discovered that the same bug has already been reported for Fedora Core almost two years ago! I have not found it earlier, because it was marked as "security sensitive", and thus not public.
I think those "private bugs" in Red Hat Bugzilla are severely flawed. I can
understand that they need to keep some reports private for a few days,
for example to be in sync with other vendors from vendor-sec.
But keeping a two years old closed bug private lacks any sense.
I think they should change their policy for private bugs so that
the "private" flag would be strictly time-limited (say to one month).
When longer privacy is needed, it could be explicitly prolonged.
And, of course, no "private" flag on closed bugs.
The same problem is with security update notifications which some Linux vendors (like Red Hat or SUSE) send: they usually refer to the Common Vulnerabilities and Exposures name of the bug fixed, but by the time I get the notification and want to check in the CVE database whether the systems from other vendors are affected as well, CVE still lists the vulnerability as private, with no details available. Talk about making the life of their customers easier :-(
3 replies for this story:
Mark Cox wrote:
Although sometimes it can take a few days for Mitre to update the details of a particular CVE on their site, you can usually get the information from the National Vulnerability Database a day or so in advance of that (nvd.nist.gov)
Jane Talbery wrote:
The problem is disclosing customer information so there is no way to make these bugs public. i.e. it's a legal problem.
Yenya wrote: Re: Jane Talbery
What legal problem? The private bug mentioned in my post got opened immediately after I have asked for opening it. I am not against closed bug reports per se, but I definitely am against private bugs which rot in bugzilla untouched for two years. There should be systematic precautions for preventing this (such as opening the untouched bugs after a month or so, or opening the CLOSED bugs after some time.