Re: accepting new members to (linux-)distros lists

[Kristian Fiskerstrand <k_f () gentoo org>]

On 07/02/2017 10:20 PM, Anthony Liguori wrote:
> I've been thinking about this list of items and also some of the
> challenges of Stack Clash.  Something that frequently came up was
> uncertainty about what the current set of patches were and there was
> also lack of clarity on dates.

...
> What do you think about having a public bugzilla (or similar system)
> where tracked issues are kept as private bugs? 

...

> Thoughts?

The immediate thought that springs to mind is the [lack of OpenPGP
support in bugzilla] which makes it difficult to ensure confidentiality
unless disabling all email warnings.

For an organization it is possible to ensure a level of security as they
control all email endpoints (and disable email forwarding), so
information never leaves a secured zone, but for multiple parties
involved it would need to be fixed or configured to only send e.g "Bug
XXX has been updated, please log in to see details", which can make the
workflow inconvenient.

Notes:
[lack of OpenPGP support in bugzilla] I say lack of OpenPGP support as
the current implementation is too flawed to be used, this is elaborated
on in http://www.openwall.com/lists/oss-security/2016/02/13/8

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Attachment: signature.asc
Description: OpenPGP digital signature