launchpad-dev team mailing list archive

Thread
Date

Re: Changing Lp to not conflate public, private, and securty visibility

To: Kees Cook <kees@xxxxxxxxxxxxx>
From: Curtis Hovey <curtis@xxxxxxxxxx>
Date: Wed, 22 Jun 2011 16:35:39 -0400
Cc: launchpad-dev@xxxxxxxxxxxxxxxxxxx, security@xxxxxxxxxx
In-reply-to: <20110622191613.GU25507@outflux.net>
Organization: i
Reply-to: curtis@xxxxxxxxxx

On Wed, 2011-06-22 at 12:16 -0700, Kees Cook wrote:
> Are you considering this a tristate? public/private/security, or are
> you
> considering it as 2 booleans? public/private and
> security/non-security?
> I ask because I see the "security => public" transition mention above,
> and
> that doesn't make sense to me. :)

Indeed I think this will operate like a tri-state, though the bools can
remain in the schema.

> Most security issues are public. Some aren't. Security issues must
> start
> their life as private so that there is no initial leak if a reporter
> wishes
> it to be private. 

Understood. I think we want public + security to be visible to everyone.
Private + security is visible only to security. Private - security will
be visible only to the bug supervisors, but all users in project roles
will be able to see the private bug when project level permissions are
available.

-- 

__C U R T I S  C.  H O V E Y___________
No matter where you go...there you are.

References

Changing Lp to not conflate public, private, and securty visibility
From: Kees Cook, 2011-06-22