No more Bugzilla for me

Ray Van Dolson rayvd at bludgeon.org
Wed Apr 22 16:55:08 UTC 2009


On Wed, Apr 22, 2009 at 12:48:48PM -0400, Felix Miata wrote:
> On 2009/04/22 08:35 (GMT-0700) Adam Williamson composed:
> 
> > The point is that some Bugzilla accounts have access to such sensitive
> > information, thus we need to have a reasonably strong security policy
> > for Bugzilla accounts.
> 
> I don't understand. AFAIK, anyone who asks can receive an account. As a
> consequence, the only real point of a password on an ordinary account is to
> ensure a particular account remains associated with and used by only one person.
> 
> OTOH, sensitive information needs protection from anyone in a position to
> divulge without potential for recompense. Thus access to protected
> information should be limited to non-ordinary accounts, and only those
> non-ordinary accounts should need more than nominal security, if any security
> at all.
> 
> What am I missing?

I think the point is that some accounts are more privileged than
others.  Should these accounts have their passwords compromised, more
sensitive information could potentially be released.

Likely the password change requirements are a "due dilligence" thing
that lets the suits say "see we have such and such in place" and
decrease their liability should someone's account be compromised.

Of course, as has been mentioned, requiring these types of frequent
password changes has questional returns in security value...

Ray




More information about the fedora-devel-list mailing list