No more Bugzilla for me
Adam Williamson
awilliam at redhat.com
Wed Apr 22 05:09:30 UTC 2009
On Wed, 2009-04-22 at 14:31 +1000, Rodd Clarkson wrote:
> On Tue, 2009-04-21 at 17:43 -0700, Adam Williamson wrote:
> > On Tue, 2009-04-21 at 17:16 -0700, Jesse Keating wrote:
> > > On Wed, 2009-04-22 at 06:45 +0800, Basil Mohamed Gohar wrote:
> > > > I agree, actually. Can poorly-authenticated access to Bugzilla really
> > > > cause such a degree of havoc?
> > >
> > > It can leak NDA information from Red Hat partners to non-Red Hat folks,
> > > which could cause Red Hat to be sued.
> >
> > So, another Red Hat issue affecting Fedora. :\ I presume the enhanced
> > busybodying can't only be enforced on the accounts which can actually
> > access restricted info?
>
> Ah, I'm a little confused.
>
> All that was requested was a change of password. This doesn't stop Joe
> Public from signing up and accessing bugzilla, and presumably doesn't
> stop Joe from viewing leaky NDA's.
>
> All it seems to do is make me have to change a password.
The point is that some accounts in Bugzilla have access to read special
bugs (containing NDA and CVE information), and so we have to enforce
strong security standards on all Bugzilla accounts, if my presumption
that it can't be done only for those accounts is correct.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the fedora-devel-list
mailing list