Bug 1381015

We looked into this quite a while ago and unless everyone in that group uses GPG or S/MIME and has the secure mail enabled, some mails will go unencrypted or mails will not go out at all beyond "something changed, log in to look".  We felt it was quite disruptive to our standard workflow and as a result did not enable it.

Having said that, there's nothing wrong with looking into it again and seeing if it is worth enabling at this point.

Ok, mozilla people have enabled this feature in a way that you cannot receive comments for security sensitive bugs unencrypted. Either you have your GPG or S/MIME certificate configured in bugzilla or you'll just get a mail that there is a change to a bug but it could not be send through unsecure email. This email has hints on how to add a key if the user wishes to.

Right, that was the disruptive part.  Some people choose to use the web UI for their email and may not be able to decrypt mails as a result (hence the impact to their workflow note).

If this were optional it probably wouldn't be as big of a deal (but then it being optional also would give a false sense of security).  Mandating it though, given the number of people impacted, isn't something we pushed.  Is there a particular reason you feel this should be implemented, or are you suggesting it just because it's available?

Is it preventing you from reporting security-related bugs because you feel it's unsafe?  I'm trying to understand the reasoning/motivation behind the request.

I don't know if this affects anything but I thought I'd mention it. For Bugzilla 5 we will almost certainly have email_in enabled, it will require incoming email to be PGP signed and have the key set-up in the secure mail tab.

FYI The two web UIs are Zimbra and GMail, both have PGP support via:

GMail: https://github.com/google/end-to-end
GMail: https://webpg.org/docs/webpg-userdocs/#!/video/gmail_demo1
Zimbra: https://github.com/Zimbra-Community/pgp-zimlet/wiki

(In reply to Vincent Danen from comment #3)
> If this were optional it probably wouldn't be as big of a deal (but then it
> being optional also would give a false sense of security).  Mandating it
> though, given the number of people impacted, isn't something we pushed.  Is
> there a particular reason you feel this should be implemented, or are you
> suggesting it just because it's available?

No special reason other than sending unencrypted mails over the internet is allowing some people to MITM (read or modify) them. If there are critical vulnerabilities reported to bugzilla, this probably will put the security of RedHat/Fedora at risk since you want to keep them private until they've been fixed. Sending sensitive information about these bugs via unencrypted mail is rendering the "hide this bug from public" feature mostly useless. In fact, this feature seems to behave just "hide it from search engines but don't really try to hide it from adversaries".

I think unless you enable this feature you should make sure these kind of critical vulnerabilities don't land in Bugzilla. Less critical ones are ok imho.

> Is it preventing you from reporting security-related bugs because you feel
> it's unsafe?  I'm trying to understand the reasoning/motivation behind the
> request.

I don't expect I'll find any security-related bugs with that high impact any time soon.

(In reply to Jeff Fearn from comment #4)
> I don't know if this affects anything but I thought I'd mention it. For
> Bugzilla 5 we will almost certainly have email_in enabled, it will require
> incoming email to be PGP signed and have the key set-up in the secure mail
> tab.

That sounds like a good idea.

Anyway, anybody developing open source software probably should have a decent PGP key anyway.

(In reply to Jeff Fearn from comment #5)
> FYI The two web UIs are Zimbra and GMail, both have PGP support via:
> 
> GMail: https://github.com/google/end-to-end
> GMail: https://webpg.org/docs/webpg-userdocs/#!/video/gmail_demo1
> Zimbra: https://github.com/Zimbra-Community/pgp-zimlet/wiki

There also is https://www.mailvelope.com/ providing PGP support for Firefox and Chromium for many other webmailers.
Anyway, having a mail marked as sensitive stored unencrypted at an untrusted 3rd party (mail hoster) is kind of breaking the idea of marking a bug as sensitive, right?

This is probably more of a concern (and good that it will require messages PGP signed to verify authenticity of the sender).  Email is too easy to spoof, and this is a really good use for the PGP support.  It's the "send everything encrypted" part that I'm not convinced is as useful.

Christian, for your comments, I agree with to some degree.  Very rarely are super critical bugs reported to bugzilla from outside that include non-Red Hat people, so everything is contained within the Red Hat "domain" so it's not as though it's freely available.  Also with SSL/TLS for mail transport, it makes it a bit more difficult to MitM than your comment implies.

That changes, of course, when you have non-Red Hat accounts receiving mail, which is rare.

For the really critical security issues, they almost always come to secalert and our GPG key is noted in a few places so it's super easy to communicate with us about those types of flaws over encryption.

So, not quite just "hide from search engines" =)

Looks like this is a polite no :)