[directory-discuss] Public bug trackers for FSF run websites

[public]

Conclusion: This issue is about setting up a bug tracker for reporting 
website issues for FSF run websites open for public website view. 
Debbugs is a good candidate except for confidential bugs, such bugs can 
be reported to current existing emails.

RMS doesn't have time to participate any more in this issue, he assigned 
Rubén this task but there's no promises that the FSF will solve this. 
Hopefully Matt can help if the FSF hire him again.

David
  > In a public tracker people discuss openly about what to do with 
these
  > issues, you aren't felt ignored, and you don't have to track your 
emails
  > which can be quite burdensome.

RMS: I see your point.
  > > Setting that up would be a lot of work, and may have other
  > > disadvantages.  If I have to ask sysadmins to do this, I will ask 
them
  > > to choose how.
  > >

David
  > I know a skilled sysadmin that might can help.

RMS: Could you please put him in touch address@hidden  Ruben has to 
judge who to accept help from.

David: I've been talking with Ian (the skilled sysadmin) about this and 
he's willing to help out
      if its useful. For example, Ian recommended Debbugs (used at 
debbugs.gnu.org) for public
      view. Confidential bugs can be kept private:

RMS: I see one doubt about this.  Perhaps it is not a good idea to make
all complaints about gnu.org public.

Ian: I think it would just need a notice for people to email
address@hidden  for security flaw reports or anything else which is
better not public and moderation to close bugs which are not likely to
have a productive result for any reason.

RMS: Ian, I am not sure concretely what that means.  How _exactly_ could 
we
arrange to show users this message before they report a problem?

Ian: The way people know to report issues with the main gnu.org pages, I
assume is mostly through the text at the bottom of the page:

"Broken links and other corrections or suggestions can be sent to
<address@hidden>"

For some software package pages, the same text is there, but the address
is changed to a debbugs one, for example <address@hidden> on
https://www.gnu.org/software/bison/. So, for non-package pages which
have the above quote, I imagine doing something similar and changing the
text to:

"Broken links and other corrections or suggestions can be sent to
<address@hidden>, or <address@hidden> for messages you do
not wish to be public."

Where sending to address@hidden creates a debbugs bug.


David: Status of web UI-based bug trackers with confidential option:
* Debbugs: "No such option, and no prospect of there being one, sorry. "
* GitLab: "[checkbox] This issue is confidential and should only be 
visible to team members with at least Reporter access."
* Bugzilla: "Security: [checkbox] Many users could be harmed by this 
security problem: it should be kept hidden from the public until it is 
resolved."

Confidential option checkboxes can of course be enabled by default if 
you want to be 100% sure that no sensitive information is leaking out by 
mistake.

Another way to solve this is using two email addresses, one public and 
one secret. For example gnu.org issues is reported to 
address@hidden, that email could be split to 
address@hidden, address@hidden (or 
address@hidden).


Here's the complete list of FSF run websites:

* gnu.org - Uses Debugs for GNU software but not for the website yet.
* fsf.org
* directory.fsf.org
* defectivebydesign.org
* savannah.gnu.org


Notes

* I've personally aked Matt Lee to set up a bug tracker for
directory.fsf.org. However to quote RMS "Matt is in a complex situation
now -- I think we need to cut
him some slack."

David:
I, Ian, RMS, and Ruben are discussing how to set up a public bug 
tracking system for all FSF run websites. Ruben is in charge, I and Ian 
are just feedback providers. Do you want to participate in the issue?

Matt: Let's see what happens with me getting hired [by the FSF].


David on https://directory.fsf.org/wiki/User:David_Hedlund: Until the 
FSF have set up a public bug tracker for FSF run websites (including 
this website) I'll volunteer on non-FSF run websites and free software 
exclusively.