[SRU]Can't select p12 secret key for TLS auth for 802.1X authentication

Bug #1575614 reported by Arkady
110
This bug affects 21 people
Affects Status Importance Assigned to Milestone
NetworkManager
Fix Released
Medium
network-manager (Ubuntu)
Medium
Unassigned
Xenial
Low
Aron Xu
network-manager-applet (Ubuntu)
High
Aron Xu
Xenial
High
Aron Xu

Bug Description

[Impact]

Users cannot select TLS certificate when connecting to a network that requires TLS type 802.1X authentication

[Test case]
STR:
1. Click on Connections icon in status panel
2. Click on Edit connections
3. Select Wired connection
4. Go to 802.1x tab
5. Check the Use 802.1X checkbox
6. Choose TLS
7. Click on Secret key button
8. In file chooser navigate to the folder where key is located and try to select key file - the list is empty

For wifi connection:
1. Click on Connections icon in status panel
2. Click on Edit connections
3. Select Wi-Fi connection
4. Go to Wi-Fi Security tab
5. Select WPA & WPA2 Enterprise in the drop-down list
6. Choose TLS
7. Click on (None) next to Private key
8. In file chooser navigate to the folder where key is located and try to select key file - the list is empty

[Regression Potential]
The fix is quite straight forward and the possibility of causing regression is limited.

Revision history for this message
Ervin (ervin-kamberoski) wrote :

Hello Arcady,

Would you mind sharing the procedure you used to configure the network manually with wpa_supplicant?

Thank you.

Ervin

Revision history for this message
Arkady (arkann1985) wrote :

Hello Ervin,

Sure. Here are the steps I used to configure wired connection:
1. place your certificate, CA certificate and secret key files in some directory (in my case it is ~/.certs)
2. create file /etc/wpa_supplicant/wired.conf using sudo with the following content:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=0
network={
eapol_flags=0
key_mgmt=IEEE8021X
eap=TLS
identity="<username>@<domain>"
ca_cert="/home/<user>/.certs/<ca_cert>.pem"
client_cert="/home/<user>/.certs/<certificate>.crt"
private_key="/home/<user>/.certs/<private_key>.pem"
private_key_passwd="<password>"
}

3. test wpa_supplicant with the following commands:
sudo wpa_supplicant -c /etc/wpa_supplicant/wired.conf -i eth<N> -B -D wired
sudo dhclient eth<n>

If internet now works then proceed to the next step

4. add the following lines to file /etc/network/interfaces
auto eth<N>
iface eth<N> inet dhcp
    pre-up wpa_supplicant -c/etc/wpa_supplicant/wired.conf -ieth<N> -D wired -B > /var/log/ifup_wpa1.log 2> /var/log/ifup_wpa2.log

For wireless network wpa_supplicant config file should be like:

ctrl_interface=/var/run/wpa_supplicant
        ctrl_interface_group=0
        eapol_version=1
        ap_scan=1
        fast_reauth=1
network={
        ssid="<network_ssid>"
        scan_ssid=1
        key_mgmt=WPA-EAP
        proto=WPA2
        pairwise=CCMP
        group=CCMP
        eap=TLS
        identity="<username>@<domain>"
        ca_cert="/home/<user>/.certs/<ca_cert>.pem"
        client_cert="/home/<user>/.certs/<certificate>.crt"
        private_key="/home/<user>/.certs/<private_key>.pem"
        private_key_passwd="<password>"
        priority=1
        }

Revision history for this message
Ervin (ervin-kamberoski) wrote :

Arcady, thank you for your help! I succeeded to get it working.

Best Regards,

Ervin

Revision history for this message
Mat (mathieu-lemaitre) wrote :

same problem here, for a wifi eap-tls connection: I can't select the private key, the list is empty

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Konstal (konni33100) wrote :

I can confirm this problem. The secret key wont show up in the file selector. The file format (.key, .pem or .p12) does not matter.

Another Problem is: When a ca-cert file is selected and a password is being typed in, the network create dialog crashes.

summary: - Can't select secret key for TLS auth on wired connection
+ Can't select secret key for TLS auth on wired or wifi connection
Konstal (konni33100)
tags: added: wifi
tags: removed: wifi
Revision history for this message
Konstal (konni33100) wrote : Re: Can't select secret key for TLS auth on wired or wifi connection

This bug prevents me from connecting to eduroam university wifi connection.

Konstal (konni33100)
description: updated
Konstal (konni33100)
affects: network-manager-openvpn (Ubuntu) → network-manager-applet (Ubuntu)
Revision history for this message
Konstal (konni33100) wrote :

Hello Arkady,

the bug is located at the network-manager-applet package, because it is handling the TLS settings applet.

Here is a workaround to see all files in the file selector. This is not a complete fix.

1. Make sure you can download source packages. See more information here: http://askubuntu.com/questions/28372/how-do-i-get-and-modify-the-source-code-of-packages-installed-through-apt-get

2. Open commandline, create an empty folder and 'cd' to it.

3. Get the source code of the package:
apt-get source network-manager-gnome

4. Apply the patch attached to this comment, first download the patch file to current folder, then:
patch < file-selector-workaround.patch

5. Get build dependencies for this package:
sudo apt-get build-dep network-manager-gnome

6. Build package with workaround:
cd network-manager-applet-1.2.0
dpkg-buildpackage -rfakeroot -uc -b

7. Install modified package:
cd ..
sudo dpkg -i network-manager-gnome_1.2.0-0ubuntu0.16.04.1_amd64.deb

8. Reboot and now the file selector will show the key files for wifi and wired configuration.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "workaround patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug report, indeed that's a bug and it has been reported/fixed upstream

n-m commit
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=9a37d1d970bf5bf1aab35468aabccb8cbfe2a39b

n-m-applet one
https://git.gnome.org/browse/network-manager-applet/commit/?h=nma-1-2&id=037c5721d89b20c46ecc53e05d9867fd4d969412

bug
https://bugzilla.gnome.org/show_bug.cgi?id=763578

Aron, can you make sure the fix is part of the next xenial SRU round?

Changed in network-manager-applet (Ubuntu):
importance: Undecided → High
status: Confirmed → In Progress
assignee: nobody → Aron Xu (happyaron)
Changed in network-manager-applet:
importance: Unknown → Medium
status: Unknown → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :
Changed in network-manager-applet (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

SRU is in the review queue as well

Aron Xu (happyaron)
summary: - Can't select secret key for TLS auth on wired or wifi connection
+ [SRU]Can't select secret key for TLS auth for 802.1X authentication
Aron Xu (happyaron)
description: updated
Changed in network-manager-applet (Ubuntu Xenial):
assignee: nobody → Aron Xu (happyaron)
importance: Undecided → High
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Arkady, or anyone else affected,

Accepted network-manager-applet into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager-applet/1.2.0-0ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in network-manager-applet (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Arkady (arkann1985) wrote : Re: [SRU]Can't select secret key for TLS auth for 802.1X authentication

I update network-manager-gnome to the latest version 1.2.0-0ubuntu0.16.04.2 from proposed repository. Now I can select only .p12 files, .pem files still not showing. Should I do something else?

Arkady (arkann1985)
tags: added: verification-failed
removed: verification-needed
Revision history for this message
Mat (mathieu-lemaitre) wrote :

i've tested the new version, but I can't select my private key either. it's a .key file in my case.

Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Arkady, or anyone else affected,

Accepted network-manager-applet into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager-applet/1.2.0-0ubuntu0.16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-failed
tags: added: verification-needed
Revision history for this message
Andreas (raffix) wrote : Re: [SRU]Can't select secret key for TLS auth for 802.1X authentication

Hallo Adam,

thank you very much for your work!
I tested the new version, but the bug is still not solved.
However, I can select a key, but not with the ending PEM.

So, I think version 1.2.0-0ubuntu0.16.04.3 has to be fixed again.

Revision history for this message
Aron Xu (happyaron) wrote :

I'm setting this report to verification-done, because the problem is fixed:

1. Previously, if you create a connection from the menu instead of connecting to an SSID that's listed in the discovered Wi-Fi, and select the encryption method, WPA/WPA2 Enterprise is inactive (listed but cannot be selected).
2. This is not presented the same way when connecting to a discovered SSID, but user is not able to connect any 802.1X connection because support for such type of encryption is inactive.
3. After installing the update, creation of 802.1X connections are possible. <-- So the bug is fixed.
4. Some of the keys or certs could not be selected due to the reason of the file's extension name, like .key file, but this is not a problem this fix targets to.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Arkady (arkann1985) wrote :

Aron Xu, if you read original issue description you will find that the problem is you can't select certificate file because file chooser (list of files) is empty. It is absolutely not related to inactive "WPA/WPA2 Enterprise" option. And this issue exists for wired connection also.

Revision history for this message
Arkady (arkann1985) wrote :

I checked latest package 1.2.0-0ubuntu0.16.04.3 and problem still exists. It is impossible to select .pem secret key file for TLS auth type.

tags: added: verification-failed
removed: verification-done
Revision history for this message
Aron Xu (happyaron) wrote :

@arkann1985,

That's another issue, but true they looks very similar. Without the current update, if you are connecting to a discovered SSID then the properties can show-up but you aren't able to select any certificate/key file, if it's not discovered by manually added then the encryption type is not able to be selected.

The problem you can reproduce is which extension is shown in the list... Would you mind to open another report?

tags: added: verification-done
removed: verification-failed
Revision history for this message
Arkady (arkann1985) wrote :

Of course I can open another report but STR of current report shows:
1. Click on Connections icon in status panel
2. Click on Edit connections
3. Select Wired connection
4. Go to 802.1x tab
5. Check the Use 802.1X checkbox
6. Choose TLS
7. Click on Secret key button
8. In file chooser navigate to the folder where key is located and try to select key file - the list is empty

So it is not related to WIFI only or discovered or not discovered network. Exactly this STR is still reproduced. Step 8 still failed. Are you sure that I should open new report? I will created it with exactly same STR.

Revision history for this message
Aron Xu (happyaron) wrote :

Probably not exactly the same steps to reproduce if you want to be precise - the original was saying nothing is listed, that was led by 802.1X support is missing unexpectedly, but now some of the file types can be selected - namely .p12 keys and .pem certs...

Revision history for this message
Arkady (arkann1985) wrote :

I can select only .p12 files. .pem files is not listed. Ok, I'll create new report.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-applet - 1.2.0-0ubuntu0.16.04.3

---------------
network-manager-applet (1.2.0-0ubuntu0.16.04.3) xenial; urgency=medium

  * debian/patches/apple-set-out_icon_name-for-WWAN-connections-for-ind.patch:
    use available gsm-3g-* icons so that the icon for mobile is different than
    that used for wifi; to avoid confusing people. (LP: #1571574)

network-manager-applet (1.2.0-0ubuntu0.16.04.2) xenial; urgency=medium

  * cherry-pick upstream patches from post 1.2.2:
    - wireless-security-fix-failed-assertion-in-default_fi.patch:
      Fix TLS cert authentication (LP: #1575614)
    - wireless-security-return-error-on-eap_method_validat.patch:
      Return error on eap_method_validate_filepicker() failure
    - applet-remove-assert-s_con-from-applet_get_active_vp.patch
      Remove the assert which lead to many false assertions (LP: #1578962)
    - apple-set-out_icon_name-for-WWAN-connections-for-ind.patch
      WWAN icon should appear when the connection is activated (LP: #1571574)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 01 Jun 2016 15:15:49 -0400

Changed in network-manager-applet (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for network-manager-applet has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Aron Xu (happyaron)
Changed in network-manager (Ubuntu):
status: New → Fix Released
Changed in network-manager (Ubuntu Xenial):
status: New → Triaged
Changed in network-manager (Ubuntu Xenial):
assignee: nobody → Aron Xu (happyaron)
importance: Undecided → Low
Aron Xu (happyaron)
tags: added: desktop-trello-import
Revision history for this message
Will Cooke (willcooke) wrote : Automatically added comment
tags: removed: desktop-trello-import
Revision history for this message
Sergey (sergeyzsg) wrote : Re: [SRU]Can't select secret key for TLS auth for 802.1X authentication

Still can't select private key for new Ethernet Connection -> 802.1x Security:
Authentication TLS

ii network-manager-gnome 1.2.0-0ubuntu0.16.04.3

Revision history for this message
tomuk5 (tomuk5) wrote :

Still not working here either, same problem:

ii network-manager-gnome 1.2.0-0ubuntu0.16.04.3

tomuk5 (tomuk5)
tags: added: verification-failed
removed: verification-done
Revision history for this message
Arkady (arkann1985) wrote :

Confirm. Not working. Here is another opened report: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1592717. Don't know why it is not listed in duplicates of this bug.

Revision history for this message
tomuk5 (tomuk5) wrote :

my experience differs from 1592717 in that no files of any type (der/pem/p12/key) are visible in the "choose your private key" file navigator window.

this matches the original symptoms of this bug.

iv tried all key file types/formats but still cannot see the key file in the browser to select it for the wireless profile.

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Arkady, or anyone else affected,

Accepted network-manager into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager/1.2.2-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in network-manager (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: removed: verification-failed
tags: added: verification-needed
Mathew Hodson (mhodson)
Changed in network-manager (Ubuntu):
importance: Undecided → Medium
affects: network-manager-applet → network-manager
Revision history for this message
Arkady (arkann1985) wrote : Re: [SRU]Can't select secret key for TLS auth for 802.1X authentication

Still can't select my private key. Only .p12 files are listed in file selector. However .pem files also exists in this folder. See attached screenshot.

tags: added: verification-failed
removed: verification-needed
Revision history for this message
Arkady (arkann1985) wrote :

Attached another one screenshot with ls output.

Revision history for this message
Aron Xu (happyaron) wrote :

@arkann1985, it does work for me when selecting the certificate, can you describe more about how did you reproduce the problem?

Revision history for this message
Arkady (arkann1985) wrote :

@happyaron, the STR is exactly like in bag description. I have a folder ".certs" in my home dir. In this folder I have some files. The extension of this files are: ".pem", ".crt" and ".p12".

Installed version of network-manager is: 1.2.2-0ubuntu0.16.04.1

I try to configure TLS for my wired connectino. I go through original STR, press "Secret key" button, in file chooser window I navigate to ".certs" folder and there is only ".p12" file is listed. Files with ".pem" extension are not listed and I'm unable to select my private key. The name of my private key file is "key.pem".

I'm ready to help with testing asap.

Revision history for this message
Aron Xu (happyaron) wrote :

@arkann1985, I wonder what's the version of your network-manager-gnome package?

Revision history for this message
Arkady (arkann1985) wrote :

@happyaron, network-manager-gnome version: 1.2.0-0ubuntu0.16.04.3
I installed only network-manager package from proposed.

Revision history for this message
Amr Ibrahim (amribrahim1987) wrote :

Arkady, please update to network-manager-gnome 1.2.0-0ubuntu0.16.04.4 (in xenial-updates since 2016-09-06) and try to verify this bug again.

If you can't update using Software Updater, use the terminal:
sudo apt update
sudo apt full-upgrade

Revision history for this message
Fedor (raigfp) wrote :

As a workaround, you can drag and drop your private key directly from Files (Nautilus)

Revision history for this message
Arkady (arkann1985) wrote :

Amr Ibrahim, updated all available packages from proposed repository. My network-manager-gnome version is now 1.2.0-0ubuntu0.16.04.4. Still can't select private key.

Fedor, the provided workaround seems to be working. But there is strange message appears that says that my private key is not protected by password. But it is not true, my key is protected. And entered private key password works well. Workaround works well for wired and wifi connections.

Revision history for this message
Aron Xu (happyaron) wrote :

@all, I'm amending this SRU to only .p12 files for which is confirmed working to allow the fix land in -updates, and opened Bug #1627903 for follow-ups of other types key files.

summary: - [SRU]Can't select secret key for TLS auth for 802.1X authentication
+ [SRU]Can't select p12 secret key for TLS auth for 802.1X authentication
Aron Xu (happyaron)
tags: added: verification-done verification-done-xenial
removed: verification-failed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 1.2.2-0ubuntu0.16.04.1

---------------
network-manager (1.2.2-0ubuntu0.16.04.1) xenial; urgency=medium

  * Rebase to upstream 1.2.2 release, patches: (LP: #1589557)
    - dnsmasq-vpn-dns-filtering.patch: updated
    - nm-change-dnsmasq-parameters.diff: updated
    - 0001-dns-use-DBus-to-make-dnsmasq-nameserver-changes.patch: dropped
    - lp1574347-re-read-link-type-if-the-name-changed.diff: dropped
    - libnm-Check-self-still-NMManager-or-not.patch: (LP: #1582301)
    - libnm-don-t-require-initialized-out_encrypted-argume.patch:
      (LP: #1575614)

 -- Aron Xu <email address hidden> Sat, 04 Jun 2016 18:27:47 +0800

Changed in network-manager (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
MK (m-m-kacik) wrote :

I installed fresh Ubuntu 16.04, with network manager 1.2.2-0ubuntu0.16.04.1 and can still repro the issue - none of my p12 encrypted keys are showing up in the list. After dragging and dropping the key as suggested, I get message about "Unencrypted private keys being insecure". Any additional workarounds?

Revision history for this message
Krzysztof Puch (kjpuchala) wrote :

Same for me for the same Ubuntu and NM version.

Revision history for this message
Fedor (raigfp) wrote :

MK, you can just skip the message

Revision history for this message
Tim Wahrendorff (tim.timwahrendorff) wrote :

The message pops up like 20 times. Real fun to "just skip them".

Revision history for this message
Tim Wahrendorff (tim.timwahrendorff) wrote :

The bug still occures within my machine. Wlan can not connect to WPA2 Enterprise. I got lots of "Unencrypted private keys are not secure."- messages, though my private key is encrypted. Network-manager is version 1.2.2-0ubuntu0.16.04.1.

Revision history for this message
SergeyMtv (sem-c) wrote :

Fresh installed 16.04.1 with updates:
network-manager/xenial-proposed,now 1.2.4-0ubuntu0.16.04.01 amd64
network-manager-gnome/xenial-updates,now 1.2.0-0ubuntu0.16.04.4 amd64

I confirm the bug. I see an empty list when try to select private key file (privkey.pem) in 802.1x tab.
The above mentioned workaround with dran&drop from nautilus works with warning message about empty password (wrong).

Revision history for this message
Martin Dünkelmann (nc-duenkekl3) wrote :

Network-Manager Version 1.2.2-0ubuntu0.16.04.4
Linux Mint 18.1 based on Ubuntu 16.04

Same Problem.

*.key File is invisible in the gui....

Revision history for this message
Bryan Wright (catselbow) wrote :

Has there been any progress on this bug? The spurious "unencrypted keys" message persists even in network-manager-gnome 1.2.6-0ubuntu0.16.04.

Revision history for this message
Chewie (hannes-woelfler) wrote :

Hi all

I just stumpled accross the very same issue
At the moment i run network manager version:
network-manager-gnome 1.2.6-0ubuntu0.16.04.4

so it should be fixed -> but I was unable to select my key..

I exported the key following and old HowTo to get wlan running in a linux pc as the company is running windows domains with wpa2 enterprise ..

pfx=my_exported_cert.pfx

        openssl pkcs12 -in $pfx -out cacert.pem -cacerts -nokeys
        openssl pkcs12 -in $pfx -out cert.pem -clcerts -nokeys
        openssl pkcs12 -in $pfx -out key.pem -nocerts

that generated all files required -> prior to that I had to request a new cert with exportable private keys on a windows pc ..

key resulting key.pem was:
file key.pem
key.pem: ASCII text

with header of:
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: le-Auth_Ses_ClientUser_KNAPPD-0485e131-adac-48b4-bd80-417a8495e1f3
Key Attributes
    X509v3 Key Usage: 80
-----BEGIN ENCRYPTED PRIVATE KEY-----

And I think that was the issue with this key:

After converting the key to RSA format it worked for me and network manager detected it !.

openssl rsa -in key.pem -out secure.key.key
file secure.key.key
secure.key.key: PEM RSA private key

And now i an running my WPA2 enterprise WLAN :)

regards
Chewie

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.