On Mon, Jan 28, 2013 at 11:51 AM, Frédéric Buclin <lpso...@netscape.net> wrote: > (Igor jumped into the Bugzilla developers IRC channel, so that's why I > heard about this thread.) > > Ian said: > > "I'm willing to provide you with a dump of gcc's bugzilla database if > you can give me the exact command to run." > > > Sorry, but I have to object! It's not ok to give anyone a plain dump of > the GCC Bugzilla database for studies or any other reason without some > sanity check. The Bugzilla database contains all the user account > passwords and preferences, as well as group permissions. Such a copy of > the DB would give the possibility to try to crack the passwords locally, > though the encryption is supposed to be very secure. This means that a > local access to the DB allows one to skip throttling when someone starts > typing the wrong password again and again, decreasing the time needed to > crack passwords. Moreover, having access to group permissions means to > be able to know who are admins and to try to abuse these accounts in GCC > Bugzilla itself. This is a security breach. > > Bugzilla offers no special tools to generate a sanitized copy of the DB, > so one shouldn't try to create a dump of the DB and spread it without a > very good knowledge of Bugzilla internals.
Yes, of course it would not be appropriate to hand out any user information. If bugzilla doesn't have a way to dump just the bug info then I guess crawling is the only way. Ian
