Autoapprove watch* acls in the pkgdb

Bastien Nocera bnocera at redhat.com
Fri Oct 26 17:26:11 UTC 2007 

Hey Toshio,

On Fri, 2007-10-26 at 09:51 -0700, Toshio Kuratomi wrote:
> References: <200710261045.l9QAj8nt022071 at bastion.fedora.phx.redhat.com> <1193395741.25047.3.camel at cookie.hadess.net>
> In-Reply-To: <1193395741.25047.3.camel at cookie.hadess.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> 
> Bastien Nocera wrote:
> > Heya,
> > 
> > On Fri, 2007-10-26 at 03:45 -0700, Fedora PackageDB wrote:
> >> Bastien Nocera (hadess) has requested the watchbugzilla acl on bluez-libs (Fedora devel)
> >>
> >> To make changes to this package see:
> >>   https://admin.fedoraproject.org/pkgdb/packages/name/bluez-libs
> > 
> > I'm sure this has been asked before. But why do I need to ask permission
> > to watch a component in bugzilla?
> > 
> It hasn't been asked before on the list but that's a piece of 
> code/policy that I have on my list to fix[1]_.  No time like the present 
> to get some feedback :-)
> 
> Proposal:
> 
> I'd like to have watchbugzilla and watchcommits (and any other watch* 
> acls in the future) auto-approve.  By example:
> 
> 1) Bastien goes to the bluez-libs webpage.
> 2) Clicks the checkbox for watchbugzilla.
> 3) Request is sent to the packagedb which immediately sets the acl.
> 4) Bastien will immediately start being CC'd on all future bluez-libs bugs.
> 
> Does anyone have problems with this piece?

The only problem I could see, is if the bugs filed are security
bugs/sensitive bugs, people adding themselves on the CC: would basically
get access to all those. Probably more a problem on the bugzilla-end
though.

You'd have the same problem if you wanted to enable commits watch
without approval.

> I'm also thinking that we don't need to be as complete about sending 
> mail when someone signs up for a watch* acl.  Currently mail goes out to:
> 
> * fedora-extras-commits at r.c
> * Package owner
> * Package maintainers with approveacls set
> 
> I don't see a reason to send a message to the commits list in this 
> scenario.  Sending to package owner and maintainers I'm hesitant about 
> -- on the one hand, they no longer need to approve the acls so why 
> bother.  On the other, maybe maintainers want to know who has shown 
> interest in their package.

I think we'd still need to keep the approvals for the reasons above.

Cheers

More information about the fedora-devel-list mailing list