Hi everyone,
it happens that a bug is fixed by an improvement or another bug fix either intentionally, e.g., because it turns out they have the same reason or a larger improvement has been implemented to fix several issues at once, or unintentionally, because the developer fixing an issue wasn’t aware of this issue. In these cases, we normally close the bug as “solved by” and don’t set a “fix version”. I propose to change this and to set a “fix version” if the closed bug (“this” issue") isn’t a duplicate of the “other” issue from a user’s point of view. For non-security issues, the precise definition of “duplicate” is up to the person closing the issue. For security issues, a fix version and the correct affects version must be set on “this” issue if one of the following is true for the “other” issue that solved it:
- The “other” issue is not a security issue.
- The “other” security issue has less or a different impact than “this” issue on confidentiality, integrity or availability (like exposing less data or other data).
- The “other” security issue is more difficult to exploit and might not be exploitable in cases where “this” issue is exploitable (possibly depending on configuration, right setup, attacker access or a different kind of user interaction).
- There are XWiki versions on which “this” issue but not the “other” issue is exploitable.
In these cases, a security advisory must also exist that describes “this” issue (can be the same advisory as the one for the “other” issue as long as covers both issues).
The reason for these conditions is that it should be possible with a query on Jira to get all security issues that affect a certain version of XWiki to be able to accurately determine the maximum impact on security for a specific XWiki instance. For non-security issues, it can still be interesting for users to be able to easily see if a certain bug they might have experienced has been fixed in an upgrade they are performing or planning.
Thank you very much for your opinions.
[Edit] My proposal is to apply this policy from now on, I don’t think there is a need to systematically fix old issues but we could of course do a query to find potentially affected security issues.