I've made a couple of small security-related changes to the tracker:
1. Closed issue 35.
Issues with Severity = security are now only visible to users with
the Reviewer or Admin roles. Neither the reporter of the issue
nor users doing triage are exceptions: if you set the Severity to
security and save, you will be told you don't have permission to
view the bug. It also will not appear in summary listings
(including search output).
I don't plan to fix the issue with triage ever; you just will have
to remember to do all the work on an issue that you plan to do
before setting its Severity to security.
I am of two minds as to whether it makes sense to make exceptions
for the reporter. In general I think such discussion should take
place in private email, anyway. If you think that there's a
strong case for allowing the reporter to view his own security
bugs, please create an issue and explain. Assign it to me.
2. Closed issue 499.
The user list used to expose mildly sensitive data to the world,
including phone numbers and email addresses. Current policy is
that the user list presents only Username, Realname, and
Organization, unless your User has the Admin or Reviewer roles.
You can still get a user's principal email address by going to the
User page, but not the alternate addresses.
N.B. Per the new security policy, both the above issues are
restricted. Comments on the above policies welcome.
Also, if you have other requests to make regarding the tracker, now
might be a good time because I'm getting acquainted with the Python
code and the templating language again.
XEmacs-Beta mailing list