Tianocore Bugzilla Server is now live


Michael Zimmermann
 

Is it just my account or does everybody have the permission "editbugs Can
edit all bug fields"?

It sounds like this is something only moderators should be able to do.

Thanks
Michael

On Thu, Jul 21, 2016 at 8:43 PM, Laszlo Ersek <lersek@redhat.com> wrote:

On 07/21/16 20:07, Kinney, Michael D wrote:
Laszlo,

Try again...it was disabled for a short period of time.
Yes, it's working now.

I'll let you know when I'm done with the clipboard "wizardry" and the
occasional reformatting :)

Thanks!
Laszlo

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
Laszlo Ersek
Sent: Thursday, July 21, 2016 10:33 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>
Cc: edk2-devel-01 <edk2-devel@ml01.01.org>
Subject: Re: [edk2] Tianocore Bugzilla Server is now live

On 07/21/16 19:05, Kinney, Michael D wrote:
Laszlo,

Yes. We can hold off disabling GitHub. Let us know when you are
ready.

Thank you! However, github is rejecting my new comments in the browser
tabs that I have open already, and it rejects my fresh requests for
issue URLs.

Thanks,
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel


Michael D Kinney
 

Michael,

I am open to suggestions on this topic.

If there is a strong opinion that we need to protect specific fields from being modified, then we can look into updating the configuration.

I think with Bugzilla change history and edk2-bugs mailing list, we can all see the changes to any issue, so even if someone does do an incorrect edit, I think we can put it back.

Mike


From: Michael Zimmermann [mailto:sigmaepsilon92@gmail.com]
Sent: Tuesday, August 2, 2016 11:57 AM
To: Laszlo Ersek <lersek@redhat.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; edk2-devel-01 <edk2-devel@ml01.01.org>
Subject: Re: [edk2] Tianocore Bugzilla Server is now live

Is it just my account or does everybody have the permission "editbugs Can edit all bug fields"?

It sounds like this is something only moderators should be able to do.

Thanks
Michael

On Thu, Jul 21, 2016 at 8:43 PM, Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>> wrote:
On 07/21/16 20:07, Kinney, Michael D wrote:
Laszlo,

Try again...it was disabled for a short period of time.
Yes, it's working now.

I'll let you know when I'm done with the clipboard "wizardry" and the
occasional reformatting :)

Thanks!
Laszlo

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org>] On Behalf Of Laszlo Ersek
Sent: Thursday, July 21, 2016 10:33 AM
To: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Cc: edk2-devel-01 <edk2-devel@ml01.01.org<mailto:edk2-devel@ml01.01.org>>
Subject: Re: [edk2] Tianocore Bugzilla Server is now live

On 07/21/16 19:05, Kinney, Michael D wrote:
Laszlo,

Yes. We can hold off disabling GitHub. Let us know when you are ready.
Thank you! However, github is rejecting my new comments in the browser
tabs that I have open already, and it rejects my fresh requests for
issue URLs.

Thanks,
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel


Laszlo Ersek
 

On 08/02/16 20:57, Michael Zimmermann wrote:
Is it just my account or does everybody have the permission "editbugsCan
edit all bug fields"?

It sounds like this is something only moderators should be able to do.
Indeed I noticed this permission when I last looked (in the "whine" thread).

I think it might make sense to restrict this permission to package
maintainers. And, I think "refinements" beyond that should not be
necessary -- I for one certainly would like to be able to edit all
bugzilla fields, regardless of their current values! :)

Thanks
Laszlo


Thanks
Michael

On Thu, Jul 21, 2016 at 8:43 PM, Laszlo Ersek <lersek@redhat.com
<mailto:lersek@redhat.com>> wrote:

On 07/21/16 20:07, Kinney, Michael D wrote:
> Laszlo,
>
> Try again...it was disabled for a short period of time.

Yes, it's working now.

I'll let you know when I'm done with the clipboard "wizardry" and the
occasional reformatting :)

Thanks!
Laszlo

>> -----Original Message-----
>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org
<mailto:edk2-devel-bounces@lists.01.org>] On Behalf Of Laszlo Ersek
>> Sent: Thursday, July 21, 2016 10:33 AM
>> To: Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
>> Cc: edk2-devel-01 <edk2-devel@ml01.01.org <mailto:edk2-devel@ml01.01.org>>
>> Subject: Re: [edk2] Tianocore Bugzilla Server is now live
>>
>> On 07/21/16 19:05, Kinney, Michael D wrote:
>>> Laszlo,
>>>
>>> Yes. We can hold off disabling GitHub. Let us know when you are ready.
>>
>> Thank you! However, github is rejecting my new comments in the browser
>> tabs that I have open already, and it rejects my fresh requests for
>> issue URLs.
>>
>> Thanks,
>> Laszlo

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org <mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel


Laszlo Ersek
 

On 08/02/16 21:10, Kinney, Michael D wrote:
Michael,

I am open to suggestions on this topic.

If there is a strong opinion that we need to protect specific fields
from being modified, then we can look into updating the configuration.

I think with Bugzilla change history and edk2-bugs mailing list, we can
all see the changes to any issue, so even if someone does do an
incorrect edit, I think we can put it back.
Does "editbugs" include changing the product from "Tianocore Security
Issues" to something else, possibly exposing the security issue to the
world?

Hm... It probably doesn't matter. If a security issue can be looked at
(which is a pre-requisite for the product field to be changed) by anyone
in the first place, then they can expose the contents to the world in
other ways too. :)

So I think trusting all registered accounts with "editbugs" is a good
starting point too.

Thanks
Laszlo


*From:*Michael Zimmermann [mailto:sigmaepsilon92@gmail.com]
*Sent:* Tuesday, August 2, 2016 11:57 AM
*To:* Laszlo Ersek <lersek@redhat.com>
*Cc:* Kinney, Michael D <michael.d.kinney@intel.com>; edk2-devel-01
<edk2-devel@ml01.01.org>
*Subject:* Re: [edk2] Tianocore Bugzilla Server is now live



Is it just my account or does everybody have the permission
"editbugs Can edit all bug fields"?



It sounds like this is something only moderators should be able to do.



Thanks

Michael



On Thu, Jul 21, 2016 at 8:43 PM, Laszlo Ersek <lersek@redhat.com
<mailto:lersek@redhat.com>> wrote:

On 07/21/16 20:07, Kinney, Michael D wrote:
> Laszlo,
>
> Try again...it was disabled for a short period of time.

Yes, it's working now.

I'll let you know when I'm done with the clipboard "wizardry" and the
occasional reformatting :)

Thanks!
Laszlo

>> -----Original Message-----
>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org
<mailto:edk2-devel-bounces@lists.01.org>] On Behalf Of Laszlo Ersek
>> Sent: Thursday, July 21, 2016 10:33 AM
>> To: Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com>>
>> Cc: edk2-devel-01 <edk2-devel@ml01.01.org <mailto:edk2-devel@ml01.01.org>>
>> Subject: Re: [edk2] Tianocore Bugzilla Server is now live
>>
>> On 07/21/16 19:05, Kinney, Michael D wrote:
>>> Laszlo,
>>>
>>> Yes. We can hold off disabling GitHub. Let us know when you are ready.
>>
>> Thank you! However, github is rejecting my new comments in the browser
>> tabs that I have open already, and it rejects my fresh requests for
>> issue URLs.
>>
>> Thanks,
>> Laszlo

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org <mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel



Michael Zimmermann
 

How are security issues treated in UEFI anyway?
Are they kept a secret forever or just for a specific time span?

A reason for keeping them a secret forever(while pushing
unsuspicious fixes) probably would be the fact that most UEFI systems don't
get updated.

Thanks
Michael

On Tue, Aug 2, 2016 at 9:34 PM, Laszlo Ersek <lersek@redhat.com> wrote:

On 08/02/16 21:10, Kinney, Michael D wrote:
Michael,

I am open to suggestions on this topic.

If there is a strong opinion that we need to protect specific fields
from being modified, then we can look into updating the configuration.

I think with Bugzilla change history and edk2-bugs mailing list, we can
all see the changes to any issue, so even if someone does do an
incorrect edit, I think we can put it back.
Does "editbugs" include changing the product from "Tianocore Security
Issues" to something else, possibly exposing the security issue to the
world?

Hm... It probably doesn't matter. If a security issue can be looked at
(which is a pre-requisite for the product field to be changed) by anyone
in the first place, then they can expose the contents to the world in
other ways too. :)

So I think trusting all registered accounts with "editbugs" is a good
starting point too.

Thanks
Laszlo


*From:*Michael Zimmermann [mailto:sigmaepsilon92@gmail.com]
*Sent:* Tuesday, August 2, 2016 11:57 AM
*To:* Laszlo Ersek <lersek@redhat.com>
*Cc:* Kinney, Michael D <michael.d.kinney@intel.com>; edk2-devel-01
<edk2-devel@ml01.01.org>
*Subject:* Re: [edk2] Tianocore Bugzilla Server is now live



Is it just my account or does everybody have the permission
"editbugs Can edit all bug fields"?



It sounds like this is something only moderators should be able to do.



Thanks

Michael



On Thu, Jul 21, 2016 at 8:43 PM, Laszlo Ersek <lersek@redhat.com
<mailto:lersek@redhat.com>> wrote:

On 07/21/16 20:07, Kinney, Michael D wrote:
> Laszlo,
>
> Try again...it was disabled for a short period of time.

Yes, it's working now.

I'll let you know when I'm done with the clipboard "wizardry" and the
occasional reformatting :)

Thanks!
Laszlo

>> -----Original Message-----
>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org
<mailto:edk2-devel-bounces@lists.01.org>] On Behalf Of Laszlo Ersek
>> Sent: Thursday, July 21, 2016 10:33 AM
>> To: Kinney, Michael D <michael.d.kinney@intel.com <mailto:
michael.d.kinney@intel.com>>
>> Cc: edk2-devel-01 <edk2-devel@ml01.01.org <mailto:
edk2-devel@ml01.01.org>>
>> Subject: Re: [edk2] Tianocore Bugzilla Server is now live
>>
>> On 07/21/16 19:05, Kinney, Michael D wrote:
>>> Laszlo,
>>>
>>> Yes. We can hold off disabling GitHub. Let us know when you
are ready.
>>
>> Thank you! However, github is rejecting my new comments in the
browser
>> tabs that I have open already, and it rejects my fresh requests
for
>> issue URLs.
>>
>> Thanks,
>> Laszlo

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org <mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel



Andrew Fish
 

On Aug 2, 2016, at 12:43 PM, Michael Zimmermann <sigmaepsilon92@gmail.com> wrote:

How are security issues treated in UEFI anyway?
They follow the standard ethical disclosure process like then one discussed here: http://www.uefi.org/security

Are they kept a secret forever or just for a specific time span?
The ethical disclosure processes is followed and an timespan is picked that lets systems that are going to get updates get fixed. This is how things security work in general.

A reason for keeping them a secret forever(while pushing
unsuspicious fixes) probably would be the fact that most UEFI systems don't
get updated.
No after some reasonable amount of time there will be disclosure to the public. The embargo of information is to let as many folks as possible get patches in place before the issue is public.

Thanks,

Andrew Fish

Thanks
Michael

On Tue, Aug 2, 2016 at 9:34 PM, Laszlo Ersek <lersek@redhat.com> wrote:

On 08/02/16 21:10, Kinney, Michael D wrote:
Michael,

I am open to suggestions on this topic.

If there is a strong opinion that we need to protect specific fields
from being modified, then we can look into updating the configuration.

I think with Bugzilla change history and edk2-bugs mailing list, we can
all see the changes to any issue, so even if someone does do an
incorrect edit, I think we can put it back.
Does "editbugs" include changing the product from "Tianocore Security
Issues" to something else, possibly exposing the security issue to the
world?

Hm... It probably doesn't matter. If a security issue can be looked at
(which is a pre-requisite for the product field to be changed) by anyone
in the first place, then they can expose the contents to the world in
other ways too. :)

So I think trusting all registered accounts with "editbugs" is a good
starting point too.

Thanks
Laszlo


*From:*Michael Zimmermann [mailto:sigmaepsilon92@gmail.com]
*Sent:* Tuesday, August 2, 2016 11:57 AM
*To:* Laszlo Ersek <lersek@redhat.com>
*Cc:* Kinney, Michael D <michael.d.kinney@intel.com>; edk2-devel-01
<edk2-devel@ml01.01.org>
*Subject:* Re: [edk2] Tianocore Bugzilla Server is now live



Is it just my account or does everybody have the permission
"editbugs Can edit all bug fields"?



It sounds like this is something only moderators should be able to do.



Thanks

Michael



On Thu, Jul 21, 2016 at 8:43 PM, Laszlo Ersek <lersek@redhat.com
<mailto:lersek@redhat.com>> wrote:

On 07/21/16 20:07, Kinney, Michael D wrote:
Laszlo,

Try again...it was disabled for a short period of time.
Yes, it's working now.

I'll let you know when I'm done with the clipboard "wizardry" and the
occasional reformatting :)

Thanks!
Laszlo

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org
<mailto:edk2-devel-bounces@lists.01.org>] On Behalf Of Laszlo Ersek
Sent: Thursday, July 21, 2016 10:33 AM
To: Kinney, Michael D <michael.d.kinney@intel.com <mailto:
michael.d.kinney@intel.com>>
Cc: edk2-devel-01 <edk2-devel@ml01.01.org <mailto:
edk2-devel@ml01.01.org>>
Subject: Re: [edk2] Tianocore Bugzilla Server is now live

On 07/21/16 19:05, Kinney, Michael D wrote:
Laszlo,

Yes. We can hold off disabling GitHub. Let us know when you
are ready.

Thank you! However, github is rejecting my new comments in the
browser
tabs that I have open already, and it rejects my fresh requests
for
issue URLs.

Thanks,
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org <mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel