| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Oct 2022 09:16:06 +0000
From: "Artem S. Tashkinov" <aros@....com>
To: Mike Rapoport <rppt@...nel.org>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Steven Rostedt <rostedt@...dmis.org>,
Theodore Ts'o <tytso@....edu>,
Thorsten Leemhuis <linux@...mhuis.info>,
Greg KH <gregkh@...uxfoundation.org>,
Konstantin Ryabitsev <konstantin@...uxfoundation.org>,
workflows@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
"regressions@...ts.linux.dev" <regressions@...ts.linux.dev>,
ksummit@...ts.linux.dev,
Mario Limonciello <mario.limonciello@....com>
Subject: Re: Planned changes for bugzilla.kernel.org to reduce the "Bugzilla
blues"
On 10/3/22 08:55, Mike Rapoport wrote:
> On Mon, Oct 03, 2022 at 07:41:08AM +0000, Artem S. Tashkinov wrote:
>>
>>
>> On 10/2/22 23:04, Al Viro wrote:
>>> On Sun, Oct 02, 2022 at 10:20:40PM +0000, Artem S. Tashkinov wrote:
>>>
>>>> Bugzilla hasn't been updated in a very long time so it's missing both
>>>> mailing lists and individual kernel developers.
>>>>
>>>> AFAIK, some pieces of kernel have no appropriate mailing lists at all.
>>>> What about that? I've no clue.
>>>
>>> There's that file, right in the root of the source tree. Called "MAINTAINERS",
>>> in all-caps... Could have something to do with locating maintainers, could it not?
>>>
>>>> Opt-in will work, except I've no idea how to make it work. Mass email
>>>> all the kernel developers and politely invite them to sign up? Most will
>>>> simply ignore it.
>>>
>>> Sigh... You really don't seem to appreciate just how deep a septic
>>> tank you've jumped into with your combination of "it should be opt-out"
>>> and "but unsubscribing takes just a minute, what are you unhappy about?!?"
>>>
>>> Maybe you are not using email a lot, but for just about everyone who does...
>>> We have heard that. Many, many times. From many sources - spammers,
>>> "legitimate" companies' marketing departments, etc.
>>>
>>> And you keep moving along the same track - the usual reaction of some
>>> company after having pulled back a bloody stump and enjoyed the pile of
>>> explanations of the reasons why opt-out is *NOT* *ACCEPTABLE*, *EVER*
>>> is along the lines of "OK, we'll just spam everyone in our database once
>>> and ask them to opt-in - that must be OK, right?"
>>
>> Being on bugzilla does _not_ mean you'll receive a single email unless
>> someone _specifically_ CC's you.
>
> If I'm not mistaken, bugzilla lets CC people explicitly. How the database
> of emails in bugzilla would help choosing the right people to CC better
> than MAINTAINERS?
>
> You repeated multiple times that bug reports sent to the mailing lists are
> ignored, but what will make emails from bugzilla different from those bug
> reports? Why do you think they will get more attention?
Maybe because they are specific? Maybe because they are not part of a
high volume mailing list such as LKML? Maybe because lots of developers
are _not_ on any mailing lists?
>
>> Anyways, Bugzilla is bad but it surely works. Let's have 100+ more
>> interchanges inventing something most users (for whom Bugzilla exists -
>> which people here keep forgetting all the time) will a have hard time
>> working with.
>
> You keep repeating that bugzilla is better then email, but the major point
> here is not the tools, but the lack of resources to deal with initial
> triage of the bugs and holding users' hand to get a meaningful report.
> Until that changes, there is no point in trying to add more people CC'ed on
> bugzilla reports. They won't be handled unless somebody would want to take
> care of them and forcing people to receive these reports won't make anybody
> more willing to help.
The initial conversation started with the fact that Bugzilla is old,
semi-deprecated, requires MySQL [no idea what's bad about it, Bugzilla
can work with MariaDB and Percona as well] and its components along with
the respective emails are extremely outdated. If I remember correctly
triaging bugs was raised much later in the discussion and is orthogonal
to the topic.
Triaging bugs could be and should be done by the people who are willing
to help [for free]. There's no problem with bugs filed under "Other" if
the reporter has no idea where to file them as long as they are visible
and searchable.
Imagine instead you send your issue to a random mailing list. What is
the chance another person with a similar issue will even find it?
Vanishingly low. The net result? Work and time wasted and no one is aware.
Again the volume of bug reports is relatively low, fewer than two dozen
a week.
Everything about Bugzilla so far has been completely blown out of
proportions:
* The insane number of emails it ostensibly sends: "OMG so much SPAM,
save me from it!"
* The privacy "issue" despite git commits and respective email addresses
being public
* The amount of work required to keep its components and email addresses
up to date - could be done maybe every 12-24 months
* The triaging "issue" which is outside the scope of this conversation
At the same time:
* Multiple reporters can perfectly find the people who have made bad
commits or who are responsible for certain drivers - it's safer to CC
them _via_ Bugzilla than to email them _privately_ or via mailing lists
which entails multiple issues including trust, SPAM, formatting,
English, net etiquette, etc. etc. etc.
You don't like Bugzilla? Fine, never touch it, never visit the website.
Never get emails from it.
Regards,
Artem
Powered by blists - more mailing lists