This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Bug repositories
- From: Ian Lance Taylor <iant at google dot com>
- To: LpSolit at netscape dot net
- Cc: GCC Mailing List <gcc at gcc dot gnu dot org>, igor dot kovacevic7 at gmail dot com, overseers at gcc dot gnu dot org
- Date: Mon, 28 Jan 2013 12:53:35 -0800
- Subject: Re: Bug repositories
- References: <5106D6C5.8050403@netscape.net>
On Mon, Jan 28, 2013 at 11:51 AM, Frédéric Buclin <LpSolit@netscape.net> wrote:
> (Igor jumped into the Bugzilla developers IRC channel, so that's why I
> heard about this thread.)
>
> Ian said:
>
> "I'm willing to provide you with a dump of gcc's bugzilla database if
> you can give me the exact command to run."
>
>
> Sorry, but I have to object! It's not ok to give anyone a plain dump of
> the GCC Bugzilla database for studies or any other reason without some
> sanity check. The Bugzilla database contains all the user account
> passwords and preferences, as well as group permissions. Such a copy of
> the DB would give the possibility to try to crack the passwords locally,
> though the encryption is supposed to be very secure. This means that a
> local access to the DB allows one to skip throttling when someone starts
> typing the wrong password again and again, decreasing the time needed to
> crack passwords. Moreover, having access to group permissions means to
> be able to know who are admins and to try to abuse these accounts in GCC
> Bugzilla itself. This is a security breach.
>
> Bugzilla offers no special tools to generate a sanitized copy of the DB,
> so one shouldn't try to create a dump of the DB and spread it without a
> very good knowledge of Bugzilla internals.
Yes, of course it would not be appropriate to hand out any user information.
If bugzilla doesn't have a way to dump just the bug info then I guess
crawling is the only way.
Ian