Launchpad doesn't allow project bug tracker to be configured to forbid 'private' bugs
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
Low
|
Unassigned | ||
Bug Description
The QEMU project has its own security-issue reporting policy, so we don't use Launchpad's "private" bug option. In QEMU's case public bug reports get gatewayed to our mailing list, which is where developers become aware of them and act on them. Private bug reports are not gatewayed, which means that filing a private bug on our LP is effectively sending it to /dev/null.
It would be nice if Launchpad allowed projects to configure their bug tracker to forbid creation of any "private" bugs. At the moment the best we can do is add a 'Do NOT report security issues as "private" bugs in this bug tracker' warning in the 'bug reporting guidelines' text, but of course some users will miss this. If we could just disable the feature entirely we could help our users avoid falling into this black hole.
| Colin Watson (cjwatson) wrote | #1 |
| tags: | added: disclosure feature lp-bugs |
| Changed in launchpad: | |
| status: | New → Triaged |
| importance: | Undecided → Low |
I wonder if we could do this by inventing a new bug sharing policy that's even more public than Public: that is, even Private Security is forbidden.