From jfearn at redhat.com Wed Mar 1 03:29:29 2023 From: jfearn at redhat.com (Jeff Fearn) Date: Wed, 1 Mar 2023 13:29:29 +1000 Subject: [Bugzilla-announce-list] Bugzilla APIKey expiration policy In-Reply-To: <9d0b634f-8466-2202-9ecb-bc3f2a543ee5@redhat.com> References: <9d0b634f-8466-2202-9ecb-bc3f2a543ee5@redhat.com> Message-ID: <7541b694-3321-87f5-5ecc-863860d6f38e@redhat.com> On 22/2/2023 12:52, Jeff Fearn wrote: > Summary > ------------ > Red Hat Bugzilla has introduced a 12 month lifetimes for APIKeys. You > must replace your APIKeys at least once a year. Additionally, any APIKey > that is not used for 30 days will be suspended but can be re-enabled on > the account's preferences tab. > > Details > --------- > All existing production APIKeys have had their creation date set to > 2023-02-19 UTC. > > When a key is 11 months old a Bugzilla workflow will be triggered to > start the process to ban the key. A bug will be created, the owner of > the key will be CC'd on the bug. The deadline for this bug will be set > for 60 days after the bug is opened, so the maximum lifetime possible is > approximately 13 months. The bug description will include the details of > the key and have a link to the preferences tab to manage the key. > > There will be a followup comment to the bug 7 days before the deadline > to remind the key owner of its imminent banning. > > On the deadline date the key will be banned and will not be usable again. > > If the key's owner revokes a key with a pending banning bug then the bug > will be closed and the key will be banned, and thus will never again be > usable after it is revoked. > > Additionally a second policy has been introduced to revoke keys after 30 > days of inactivity. Unlike banning, revoking isn't permanent, the key > owner can enable the key in the APIKey preferences page. A link to the > APIKey preferences tab is included in the email sent to notify the key > owner of the revocation. Hi, after feedback on this policy we have decided to revoke the auto-revoke process. This will be in the next Red Hat Bugzilla release [1]. Cheers, Jeff. 1: https://bugzilla.redhat.com/show_bug.cgi?id=2174291 -- Jeff Fearn Portfolio Life Cycle Management Red Hat, APAC. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: