[Mesa-dev] Proposal: allow hidden security bugs on Mesa's Bugzilla

Benoit Jacob bjacob at mozilla.com
Tue Nov 20 09:29:09 PST 2012


List,

I was told to send this to freedesktop.org admins, but as I fully expect
that this will be controversial among some Mesa developers, I thought
that I would write to this list first and check that there is enough
agreement here.

WebGL-enabled browsers have faced security bugs in all drivers --- Mesa
is not special in this respect. When that happens, we need to have
conversations with the driver developers, not only to get the bugs fixed
in future driver versions, but also to get the insight that we need in
the short term to assess the security implications of the bug, develop
mitigations, and decide whether the affected driver needs to be blacklisted.

Discussions of security-sensitive bugs need to be private. I understand
that this is a controversial statement in many F/OSS communities, but it
is how all browser projects, including Mozilla and Chromium, work, and
that part has to be accepted as an axiom in the present discussion.

Given that, what has happened is that when browser developers (Mozilla
and Chromium at least) identified security bugs in Mesa, as Mesa's
bugzilla does not currently have the option to hide security bugs, we
had to resort to
 * either using private e-mail
 * or CCing Mesa developers on our own secure bugs
Both solutions are poor, and a better solution would be for Mesa's
bugzilla to allow hidden security bugs so we could work there. Given
that security bug discussion can't be open, that is the "least bad"
solution possible.

Any questions?
Do you support or oppose me asking FD.o admins to allow hidden bugs on
Mesa's bugzilla?

Benoit



More information about the mesa-dev mailing list