[Bugzilla-announce-list] Bugzilla APIKey expiration policy

Jeff Fearn jfearn at redhat.com
Wed Feb 22 02:52:22 UTC 2023

Red Hat Bugzilla has introduced a 12 month lifetimes for APIKeys. You 
must replace your APIKeys at least once a year. Additionally, any APIKey 
that is not used for 30 days will be suspended but can be re-enabled on 
the account's preferences tab.

All existing production APIKeys have had their creation date set to 
2023-02-19 UTC.

When a key is 11 months old a Bugzilla workflow will be triggered to 
start the process to ban the key. A bug will be created, the owner of 
the key will be CC'd on the bug. The deadline for this bug will be set 
for 60 days after the bug is opened, so the maximum lifetime possible is 
approximately 13 months. The bug description will include the details of 
the key and have a link to the preferences tab to manage the key.

There will be a followup comment to the bug 7 days before the deadline 
to remind the key owner of its imminent banning.

On the deadline date the key will be banned and will not be usable again.

If the key's owner revokes a key with a pending banning bug then the bug 
will be closed and the key will be banned, and thus will never again be 
usable after it is revoked.

Additionally a second policy has been introduced to revoke keys after 30 
days of inactivity. Unlike banning, revoking isn't permanent, the key 
owner can enable the key in the APIKey preferences page. A link to the 
APIKey preferences tab is included in the email sent to notify the key 
owner of the revocation.

Cheers, Jeff.

Jeff Fearn
Portfolio Life Cycle Management
Red Hat, APAC.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/bugzilla-announce-list/attachments/20230222/4ed2b777/attachment.sig>

More information about the Bugzilla-announce-list mailing list