develooper Front page | perl.perl5.porters | Postings from July 2019

Re: We plan to transition from RT to GitHub

Thread Previous | Thread Next
From:
David Nicol
Date:
July 8, 2019 17:28
Subject:
Re: We plan to transition from RT to GitHub
Message ID:
CAFwScO-VWS7yTbVB0LVU+Ba0uGt3fn038JTiQYbbNs89mt+wRg@mail.gmail.com
confidentiality is a premium service and (outside of security reports,
which TPF could reasonably offer a bounty for valid ones) people who need
confidentiality should be hiring contractors instead of complaining in
public.

On Mon, Jul 8, 2019 at 11:06 AM Richard Leach <rich@hyphen-dash-hyphen.info>
wrote:

> On Fri, Jul 5, 2019 at 10:22 AM <hv@crypt.org> wrote:
> > - where will security issues go, how will they get there, from whom will
> > they be secure?
>
> Issues can't be marked as private. Many people seem to have asked or
> +1 this, but it's still not a thing.
>



> There is the model where you have a private repo for code and a
> separate public repo for issues. Don't know if that model could be
> flipped around to have a public code & issues repo, plus a separate
> private security issues repo, but not sure how reporting would work.
> Perhaps security bugs would still have to be reported by email, which
> gets turned into a private repo issue? But it's unclear then how much
> work it would be for the security team to move/copy a resolved
> security issue to the public queue. :-(
>

Well, the security team would fix it in secret, then post the bug and patch
as a formality? That still doesn't solve the problem of all the unpatched
versions though. Which isn't generally solved for any projects I'm aware of.

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About