Issue190

Title security problem
Priority bug Status chatting
Superseder Nosy List phr
Assigned To Topics

Created on 2008-02-21.20:38:03 by phr, last changed 2013-08-26.16:17:07 by berker.peksag.

Messages
msg972 (view) Author: phr Date: 2008-02-21.20:38:03
The tracker doesn't appear to have a way to privately report a security problem.
msg975 (view) Author: loewis Date: 2008-02-21.20:55:37
> The tracker doesn't appear to have a way to privately report a security problem.

That's mostly intentional. Issues that shouldn't be disclosed should be 
reported to security@python.org.

Regards,
Martin
msg977 (view) Author: phr Date: 2008-02-22.03:59:11
Well, ok, but a link or explanation of that somewhere on the tracker would be
helpful.  Eventually it may be worth adding this, depending on how the
maintainers want to handle such reports.  I know that launchpad and bugzilla can
accept private reports and the feature is helpful.  They also normally serve
pages through SSL which should be more secure than email.  Anything really
sensitive is probably better off on a single well-secured server than in the
mailboxes of N different maintainers.  However, this probably isn't an
overriding issue for Python right now.
msg982 (view) Author: loewis Date: 2008-02-22.17:30:02
The problem is that we would need to create a separate account role, and then
restrict classified issues to access only by that role, and by the submitter.
The security model of Roundup makes this fairly error-prone - this installation
gives "view" permissions to all issues to everybody, and restricting it requires
a lot of work,testing, and faith.

So email is *much* more secure.

Contributions are welcome.
msg983 (view) Author: phr Date: 2008-02-22.23:36:01
I guess this is best left as a long term wish list item in that case.  Having
been through this kind of thing a few times before, I agree that if it's
complicated to do, it's likely to leave holes.  So it's best accomplished by
organizing the architecture in a way that makes it simple and solid.

I do think it's worth doing something about issue #191 (reported by email) even
if it's a short term hack.
msg984 (view) Author: loewis Date: 2008-02-23.07:12:02
> I do think it's worth doing something about issue #191 (reported by email) even
> if it's a short term hack.

If you are talking about the issue you reported privately - nobody here 
knows what the issue is; that's the point of a classified report.
History
Date User Action Args
2013-08-26 16:17:07berker.peksagsetfiles: - sa.html
2013-08-26 16:17:03berker.peksagsetnosy: - changeablecore8
title: New Interface -> security problem
2013-08-26 16:16:37berker.peksagsetmessages: - msg2774
2013-08-26 16:15:23changeablecore8setfiles: + sa.html
nosy: + changeablecore8
messages: + msg2774
title: security problem -> New Interface
2008-02-23 07:12:03loewissetmessages: + msg984
2008-02-22 23:36:02phrsetmessages: + msg983
2008-02-22 17:30:02loewissetmessages: + msg982
2008-02-22 03:59:12phrsetmessages: + msg977
2008-02-21 20:55:37loewissetstatus: unread -> chatting
messages: + msg975
title: tracker has no way to mark a problem as private -> security problem
2008-02-21 20:39:12phrsettitle: security problem -> tracker has no way to mark a problem as private
2008-02-21 20:38:03phrcreate