* Re: Bug repositories
@ 2013-01-28 19:51 Frédéric Buclin
2013-01-28 20:53 ` Ian Lance Taylor
0 siblings, 1 reply; 2+ messages in thread
From: Frédéric Buclin @ 2013-01-28 19:51 UTC (permalink / raw)
To: GCC Mailing List, Ian Lance Taylor, igor.kovacevic7; +Cc: overseers
(Igor jumped into the Bugzilla developers IRC channel, so that's why I
heard about this thread.)
Ian said:
"I'm willing to provide you with a dump of gcc's bugzilla database if
you can give me the exact command to run."
Sorry, but I have to object! It's not ok to give anyone a plain dump of
the GCC Bugzilla database for studies or any other reason without some
sanity check. The Bugzilla database contains all the user account
passwords and preferences, as well as group permissions. Such a copy of
the DB would give the possibility to try to crack the passwords locally,
though the encryption is supposed to be very secure. This means that a
local access to the DB allows one to skip throttling when someone starts
typing the wrong password again and again, decreasing the time needed to
crack passwords. Moreover, having access to group permissions means to
be able to know who are admins and to try to abuse these accounts in GCC
Bugzilla itself. This is a security breach.
Bugzilla offers no special tools to generate a sanitized copy of the DB,
so one shouldn't try to create a dump of the DB and spread it without a
very good knowledge of Bugzilla internals.
LpSolit
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Bug repositories
2013-01-28 19:51 Bug repositories Frédéric Buclin
@ 2013-01-28 20:53 ` Ian Lance Taylor
0 siblings, 0 replies; 2+ messages in thread
From: Ian Lance Taylor @ 2013-01-28 20:53 UTC (permalink / raw)
To: LpSolit; +Cc: GCC Mailing List, igor.kovacevic7, overseers
On Mon, Jan 28, 2013 at 11:51 AM, Frédéric Buclin <LpSolit@netscape.net> wrote:
> (Igor jumped into the Bugzilla developers IRC channel, so that's why I
> heard about this thread.)
>
> Ian said:
>
> "I'm willing to provide you with a dump of gcc's bugzilla database if
> you can give me the exact command to run."
>
>
> Sorry, but I have to object! It's not ok to give anyone a plain dump of
> the GCC Bugzilla database for studies or any other reason without some
> sanity check. The Bugzilla database contains all the user account
> passwords and preferences, as well as group permissions. Such a copy of
> the DB would give the possibility to try to crack the passwords locally,
> though the encryption is supposed to be very secure. This means that a
> local access to the DB allows one to skip throttling when someone starts
> typing the wrong password again and again, decreasing the time needed to
> crack passwords. Moreover, having access to group permissions means to
> be able to know who are admins and to try to abuse these accounts in GCC
> Bugzilla itself. This is a security breach.
>
> Bugzilla offers no special tools to generate a sanitized copy of the DB,
> so one shouldn't try to create a dump of the DB and spread it without a
> very good knowledge of Bugzilla internals.
Yes, of course it would not be appropriate to hand out any user information.
If bugzilla doesn't have a way to dump just the bug info then I guess
crawling is the only way.
Ian
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-01-28 20:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-01-28 19:51 Bug repositories Frédéric Buclin
2013-01-28 20:53 ` Ian Lance Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).