More cloak-and-dagger at Bukkit

Discuss anything Bukkit related
User avatar
Inscrutable
 
Posts: 117
Joined: October 28th, 2011, 5:00 pm
Location: Fortress of Evil, Tasmania, Australia

More cloak-and-dagger at Bukkit

Postby Inscrutable » June 4th, 2012, 5:42 pm

Interesting discussion going on about the infamous duping exploit from CB RB2.0 (I think :D)
Apparently it's too hush-hush to share with the public, and that conveniently fits with their
plans to shut out CB++ (except when it suits their purposes, like porting features...).

The relevant Bukkit Staff policy, in a nutshell, is:
"we will mark tickets private if there is even a hint that it may be damaging to the community as a whole" - TnT


It begs the question: Is it reasonable to suppress stuff in a public project (Bukkit) like this?
I don't see see it happening on Spout JIRA (yet)...
(But as md_5 said, it's probably still visible in the commit history,so anyone who knows what
they're looking for could still work it out I suppose).

http://forums.bukkit.org/threads/access-to-bug-reports.79082/#post-1149778
Regulation Brass Ones, Guv'nor

Drakia
Site Admin
 
Posts: 553
Joined: October 26th, 2011, 8:20 pm

Re: More cloak-and-dagger at Bukkit

Postby Drakia » June 5th, 2012, 7:31 am

Interesting, I can sort of see where they are coming from (Exploits being public before a fix is bad) but refusing to mark it as public after a fix is pushed? That seems kinda dumb...

User avatar
Inscrutable
 
Posts: 117
Joined: October 28th, 2011, 5:00 pm
Location: Fortress of Evil, Tasmania, Australia

Re: More cloak-and-dagger at Bukkit

Postby Inscrutable » June 7th, 2012, 7:07 am

I get it now. The fix didn't work, apparently. Sweet Jiminy Cricket...
Regulation Brass Ones, Guv'nor

lukegb
 
Posts: 3
Joined: November 19th, 2011, 5:01 pm

Re: More cloak-and-dagger at Bukkit

Postby lukegb » June 9th, 2012, 10:54 am

I'd like to point out that we make the tickets semi-public under dl.bukkit.org when the ticket is mentioned in a commit, so the ticket description will become available at the same time as the fix.

Yes, it is reasonable to suppress information for some time. I point to the cases of Mozilla, and Chrome, as well as most other open source projects, who both undertake this for security-sensitive tickets.
Mozilla's policy states this:
"As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be. However this is offset by the fact that the person reporting a bug has visibility into the activities (if any) being taken to address the bug, and has the power to open the bug report for public scrutiny."

Drakia
Site Admin
 
Posts: 553
Joined: October 26th, 2011, 8:20 pm

Re: More cloak-and-dagger at Bukkit

Postby Drakia » June 9th, 2012, 7:54 pm

lukegb wrote:I'd like to point out that we make the tickets semi-public under dl.bukkit.org when the ticket is mentioned in a commit, so the ticket description will become available at the same time as the fix.

Yes, it is reasonable to suppress information for some time. I point to the cases of Mozilla, and Chrome, as well as most other open source projects, who both undertake this for security-sensitive tickets.
Mozilla's policy states this:
"As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be. However this is offset by the fact that the person reporting a bug has visibility into the activities (if any) being taken to address the bug, and has the power to open the bug report for public scrutiny."

As I said, it makes sense to mark it private until a fix is pushed (Or an RB with a fix, in the case of Bukkit).


Return to Discussion

Who is online

Users browsing this forum: No registered users