From pst  Fri Sep 13 13:54:17 1996
Received: (from pst@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA16785;
          Fri, 13 Sep 1996 13:54:17 -0700 (PDT)
Message-Id: <199609132054.NAA16785@freefall.freebsd.org>
Date: Fri, 13 Sep 1996 13:54:17 -0700 (PDT)
From: Paul Traina <pst>
Reply-To: pst
To: FreeBSD-gnats-submit@freebsd.org
Subject: FreeBSD's bug tracking system does not respect confidential
X-Send-Pr-Version: 3.2

>Number:         1608
>Category:       conf
>Synopsis:       FreeBSD's bug tracking system does not respect confidential
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          support
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 13 14:00:01 PDT 1996
>Closed-Date:    Sat Apr 11 03:52:34 PDT 1998
>Last-Modified:  Sat Apr 11 03:53:07 PDT 1998
>Originator:     Paul Traina
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
Juniper Networks, Inc.
>Environment:

This is local to the setup of FreeBSD.org's bug-tracking system.

>Description:

gnu/1604 and gnu/1605 were sent in with the confidential flag set, yet
they still appeared in the freebsd-bugs mailing list.  This is a MAJOR
mistake.

>How-To-Repeat:

Send in a confidential bug report.

>Fix:
	
Fix the mailing list/gnats interface on freefall.

>Release-Note:
>Audit-Trail:

From: Peter Wemm <peter@spinner.DIALix.COM>
To: pst@freefall.freebsd.org
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: conf/1608: FreeBSD's bug tracking system does not respect 
 confidential 
Date: Sat, 14 Sep 1996 06:09:52 +0800

 Paul Traina wrote:
 > >Description:
 > 
 > gnu/1604 and gnu/1605 were sent in with the confidential flag set, yet
 > they still appeared in the freebsd-bugs mailing list.  This is a MAJOR
 > mistake.
 
 Well, since the summaries of outstanding PR's are also sent to the list, 
 we don't have much use for the 'confidential' header.  What are we 
 supposed to do? Look at the PR numbers when they arrive from the mailing 
 list and notice that one of them was skipped, and go and see what happened 
 to it?
 
 IMHO, unless we find somebody to filter them by hand, we should delete the 
 confidential: header from the skeleton entirely and make the incoming 
 filter refuse them, giving instructions on the correct place to send 
 security problems and contact addresses for keepers of major parts of the 
 system if it's really essential that it not go out on the mailing lists.  
 Remember, the gnats database is also going out via ctm to the public.
 
 Cheers,
 -Peter
 
 
State-Changed-From-To: open->suspended 
State-Changed-By: pst 
State-Changed-When: Fri Feb 14 10:10:46 PST 1997 
State-Changed-Why:  
It was the core team's decision to not support confidential bug 
reportting. 
State-Changed-From-To: suspended->closed 
State-Changed-By: phk 
State-Changed-When: Sat Apr 11 03:52:34 PDT 1998 
State-Changed-Why:  
issue decided on.  Confidential reports should be sent to security officer. 
>Unformatted:
