[RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
Till Maas
opensource at till.name
Wed Jul 29 12:53:39 UTC 2009
On Wednesday 29 July 2009 14:00:23 Jon Stanley wrote:
> On Wed, Jul 29, 2009 at 4:59 AM, Till Maas<opensource at till.name> wrote:
> > According to the Bugzilla docs, only people that are already on the CC
> > list can access restricted bugs, and this can also be disabled:
>
> Correct - but everyone that has watchbugzilla is put on the CC list
> when the bug is created. Therefore, if I create a new security bug
> tomorrow, and Joe Random has watchbugzilla and is therefore on the CC
> list, he'll be able to see that bug.
So are there any rules to decide who is allowed to get watchbugzilla for any
package? How do you decide who is allowed to get watchbugzilla for a package?
In case of very secret security bugs, how do you know that anyone on the
watchbugzilla list is legitimate?
How about just creating these kind of bugs in the "Security Response" product
and then select manually who is allowed to see the bug?
Nevertheless, how about making autoapprovment default but give package owners
an option to opt out? So if there are package maintainers who have any policy
about who is allowed to get watchbugzilla, then they can enforce it.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090729/2eae62bc/attachment.sig>
More information about the fedora-devel-list
mailing list