Bug 67034

Summary: D-Bus maintainer bug assignees and security contact
Product: freedesktop.org Reporter: Simon McVittie <smcv>
Component: BugzillaAssignee: fd.o Admin Massive <sitewranglers>
Status: RESOLVED FIXED QA Contact:
Severity: enhancement    
Priority: medium CC: alban.crequy, ralf.habacker, thiago, walters
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Simon McVittie 2013-07-18 09:52:56 UTC
Hi,
Following some discussion with various D-Bus maintainers[1], we would like to improve the D-Bus security/maintainer/bug-tracking situation in some ways that need sysadmin help.

Here is what I'd ideally like: please implement or discuss. See also Bug #57752, Bug #58996, Bug #61434, Bug #63401 which are similar.

* Create a mailing list dbus-security@lists.freedesktop.org with
  restricted membership, unrestricted posting and restricted
  archives (or even no archives). Advertise this as our security alert
  contact address so we don't have to resort to private email.
  Subscribe those of the D-Bus maintainers with an interest in its security,
  including at least:

  * Simon McVittie (core, dbus-glib, dbus-python; Collabora, Debian)
  * Colin Walters (core, dbus-glib; Red Hat, GNOME)
  * Thiago Macieira (core, QtDBus; Intel, KDE)

* Create either a mailing list dbus-bugs@lists.freedesktop.org or
  an invalid pseudo-account that does not actually receive email
  (like the @gnome.bugs addresses used on bugzilla.gnome.org),
  and make it the QA contact for all dbus components except security.
  Maintainers will be encouraged to "watch" this address on Bugzilla
  (which is better than subscribing to a mailing list, because it
  doesn't email you twice if you are also the assignee.)

* For the components without a single obvious owner (core, GLib),
  set the default assignee to the dbus-bugs list too. java, perl,
  python can keep their current default assignees.

* Delete the dbus/doc Bugzilla component. It was meant to mean a
  Telepathy-like introspection-based format for documentation, but that
  project didn't go anywhere, and everyone thinks it means the
  documentation and specification in dbus.git, which can just be dbus/core.

* Delete the dbus/Qt Bugzilla component. QtDBus bugs have been tracked on
  the Qt bug tracker for about 7 years.

* Create a 'security' Bugzilla component for embargoed
  security bugs, whose default assignee and default QA contact are both
  the security mailing list (or a parallel pseudo-account that can be
  watched by authorized users). Create a Bugzilla group for the
  security contacts (like the existing Telepathy one) and if possible,
  make security bugs private to those people by default.
  (This is basically a simple workaround for bugs like #63401, #61434.)
Comment 1 Simon McVittie 2013-07-18 10:00:52 UTC
Cc'ing Ralf for information, since he's been acting as maintainer for D-Bus-on-Windows.

Ralf: I don't think D-Bus on Windows is suitable for use as a security boundary or has security support (e.g. Bug #35311), and there is no system bus on Windows (which is the part that's security-sensitive on Unix), so I'm not proposing to add you to the security contact list at this stage.
Comment 2 Thiago Macieira 2013-07-18 15:41:12 UTC
Agreed on all points.
Comment 3 Colin Walters 2013-07-18 16:13:49 UTC
This sounds reasonable, although in practice I suspect we'll end up escalating issues very quickly to existing lists like distros@vs.openwall.org.
Comment 4 Simon McVittie 2013-08-19 08:09:06 UTC
*** Bug 68011 has been marked as a duplicate of this bug. ***
Comment 5 Ralf Habacker 2013-08-30 07:09:42 UTC
(In reply to comment #1)
> Cc'ing Ralf for information, since he's been acting as maintainer for
> D-Bus-on-Windows.
> 
> Ralf: I don't think D-Bus on Windows is suitable for use as a security
> boundary or has security support (e.g. Bug #35311), and there is no system
> bus on Windows (which is the part that's security-sensitive on Unix), so I'm
> not proposing to add you to the security contact list at this stage.

I'ts okay for now. If there are real world requests or uses case for that, we will see.
Comment 6 Ralf Habacker 2013-08-30 07:17:46 UTC
(In reply to comment #4)
> *** Bug 68011 has been marked as a duplicate of this bug. ***

I opened this bug, because this bugs is open over a month and noone from the fdo admin team seems to feel responsible to handle fdo infrastructure change requests. How could this project be maintained well, if the basic settings could not be changed ? 

I never got such experiences from the kde admin team, they were very responsive all the time.
Comment 7 Simon McVittie 2014-03-13 12:20:28 UTC
Ping?

If there are any problems with my plan from the sysadmin side, please say. It seems the D-Bus maintainers all agree with me.
Comment 8 Simon McVittie 2014-07-14 12:23:12 UTC
(In reply to comment #0)
>   Create a Bugzilla group for the
>   security contacts (like the existing Telepathy one)

This seems to exist now. The rest of my requested changes would still be useful.
Comment 9 Simon McVittie 2014-09-25 13:09:54 UTC
(In reply to comment #0)
> Here is what I'd ideally like: please implement or discuss. See also Bug
> #57752, Bug #58996, Bug #61434, Bug #63401 which are similar.

Hello sysadmins, here is your bi-monthly reminder that any or all of the changes in Comment #0 would be greatly appreciated.
Comment 10 Simon McVittie 2014-09-25 15:37:49 UTC
(In reply to comment #0)
> * Create a mailing list dbus-security@lists.freedesktop.org with
>   restricted membership, unrestricted posting and restricted
>   archives (or even no archives).

Done. Archives are disabled.

>   Subscribe those of the D-Bus maintainers with an interest in its security,
>   including at least:
> 
>   * Simon McVittie (core, dbus-glib, dbus-python; Collabora, Debian)
>   * Colin Walters (core, dbus-glib; Red Hat, GNOME)
>   * Thiago Macieira (core, QtDBus; Intel, KDE)

Subscribed these three for now.

> * Create either a mailing list dbus-bugs@lists.freedesktop.org or
>   an invalid pseudo-account that does not actually receive email
>   (like the @gnome.bugs addresses used on bugzilla.gnome.org),
>   and make it the QA contact for all dbus components except security.

dbus@maint.invalid is this contact.

>   Maintainers will be encouraged to "watch" this address on Bugzilla

Maintainers, please watch that address.

OK, done :-)

> * For the components without a single obvious owner (core, GLib),
>   set the default assignee to the dbus-bugs list too. java, perl,
>   python can keep their current default assignees.

Done

> * Delete the dbus/doc Bugzilla component. It was meant to mean a
>   Telepathy-like introspection-based format for documentation, but that
>   project didn't go anywhere, and everyone thinks it means the
>   documentation and specification in dbus.git, which can just be dbus/core.

Done, all bugs moved to dbus/core

> * Delete the dbus/Qt Bugzilla component. QtDBus bugs have been tracked on
>   the Qt bug tracker for about 7 years.

Not deleted, but closed for new bugs

> * Create a 'security' Bugzilla component for embargoed
>   security bugs

No real need to do this, dbus@maint.invalid is enough. Bugmail for security bugs will go to watchers of dbus@maint.invalid if and only if the watcher is allowed to see the bug.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.