No more Bugzilla for me
King InuYasha
ngompa13 at gmail.com
Thu Apr 23 08:12:06 UTC 2009
On Wed, Apr 22, 2009 at 7:22 PM, Carwyn Edwards <carwyn at carwyn.com> wrote:
>
>
> 2009/4/22 Emmanuel Seyman <emmanuel.seyman at club-internet.fr>
>
>>
>> The Bugzilla used by Fedora contains sensitive information (i.e.,
>> restricted to certain accounts). Thus, we need strong passwords
>> on the accounts.
>
>
> Actually, it's only those certain accounts that need strong passwords, as
> long as the application itself is secure the only passwords that are
> dangerous are the ones that belong to the users with high security accounts.
>
> The problem here really is that there's no group based separation of auth
> policy.
>
> Strong passwords don't really help verify identity for relatively unknown
> persons anyway. So what if you can prove I know my password. You still have
> no idea who I am.
>
> This is a case of using a sledgehammer to crack a nut. The authenticity of
> most bugzilla.redhat users means very little, it actually means more to the
> end user than the service provider. This approach seems to have affected
> many more users that it really needed to and probably reduced the overall
> security of those "special" accounts by putting them in the same bucket as
> everyone else.
>
> Using something like SPNEGO with HTTP Negotiate (which many browsers now
> support) for the elevated accounts might be better. Add an "elevate privs
> link, tie that to a trust level inside bugzilla and you're done. Possibly
> even more secure as the super privs are only used when needed, not when
> trawling the standard cruft (think sudo for bugzilla).
>
> Admittedly, from an implementation point of view, what's been done is a lot
> simpler ;-)
>
>
>
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
Why not secure the actual authentication process with a crypto scheme, such
as AES or DiffieHellman? Better yet, if Fedora does move off of the Red Hat
Bugzilla, maybe we could use something else for bug tracking that does
support these schemes because Bugzilla is very very slow most of the time I
try to use it.
However, if you really want to be paranoid, why not require Yubikey OTPs for
people using the bugzilla :P j/k
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090423/0899b870/attachment.htm>
More information about the fedora-devel-list
mailing list