Hi Sac members,
I installed a trac plugin to handle this privacy issue. The plugin is called
"securetickets" and can be found on http://trac-hacks.org. The initial
behavior of the plugin was to set all tickets private, then let the user
defines what are the public components. I modified this to fit osgeo needs.
Since everything is public by default, we'll set manually the private
components and everything else will be public. Here's how to use the plugin:
1- Enable the plugin in trac.ini:
[components]
securetickets.* = enabled
2- Modify the permission_policies in trac.ini:
permission_policies = SecureTicketsPolicy, DefaultPermissionPolicy, ...
3- Define private components in trac.ini:
[securetickets]
private_components = Vulnerabilities, Component2, ...
To allow a user or a group to view the private tickets, you'll have to add him
the permission SECURE_TICKET_VIEW
regards,
Alan
On September 2, 2010 10:31:32 am Frank Warmerdam wrote:
Alan Boudreault wrote:
> Hi,
>
> During a few security tickets we worked on (MapServer), we created the
> tickets to keep the trace of the differents issues and patches. We have
> been asked if it would be possible to create private tickets rather than
> public. The reason is simple.. since they are security issues, it would
> be better to only reveal them since all the patches are done and the
> release ready.
>
> I'm aware of a few "private plugins" for trac and I could take a look at
> them and install it for our mapserver trac. Unfortunately, since the
> migration of the servers, I think my sac account haven't been created.
Alan,
I observe that you are in the "sac" group:
https://www.osgeo.org/cgi-bin/auth/ldap_shell.py?group=sac
and so should be able to login to the Trac machine. You might need someone
to add sudo permissions. I'd suggest Chris or Howard do that since they
seem to be primarily responsible for the services on this VM and should
effectively ok the request.
I have also, from time to time, had a need for handling security related
issues and wished there was a way of restricting access to the
corresponding tickets for a while.
Best regards,
--
Alan Boudreault
Mapgears
http://www.mapgears.com