[RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
Toshio Kuratomi
a.badger at gmail.com
Wed Jul 29 13:30:27 UTC 2009
On 07/29/2009 01:59 AM, Till Maas wrote:
> On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote:
>
>> It was in my post to the last thread::
>> """
>> Is someone in a position to verify whether setting security flags on a
>> bug prevents someone who would be put in the CC list by the default cc
>> attribute would or would not let people see those bugs? Is someone in a
>> position to tell me if watching a person in bugzilla would also let you
>> violate this?
>> """
>>
>> I think people are generally amenable to autoapproving CC to
>> watchbugzilla as long as security bugs do not send updates out to random
>> people who have signed up to be CC'd. Knowing just how security bugs
>> work allows us to evaluate what the risks are.
>
> How about just test this? Is the following what to think may cause trouble?
>
> 1) Security bug 12345 against package foo is created
> 2) Alice requests watchbugzilla for package foo
> 3) Alice can now watch bug 12345
>
Reverse steps 1 and 2.
> We can test this with this bug I marked as security sensitive:
> https://bugzilla.redhat.com/show_bug.cgi?id=472110
>
> You can now apply for watchbugzilla here:
> https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount
>
> According to the Bugzilla docs, only people that are already on the CC
> list can access restricted bugs, and this can also be disabled:
>
> http://www.bugzilla.org/docs/tip/en/html/groups.html
>
> | By default, bugs can also be seen by the Assignee, the Reporter, and by
> | everyone on the CC List, regardless of whether or not the bug would
> | typically be viewable by them. Visibility to the Reporter and CC List
> | can be overridden (on a per-bug basis) by bringing up the bug, finding
> | the section that starts with "Users in the roles selected below..." and
> | un-checking the box next to either 'Reporter' or 'CC List' (or both).
>
This implies that autoapproving watchbugzilla would allow people to see
security bugs.
Is the same thing true of watching a person? till, I'm now watching
till-opensource.name, if you want to open a new security bug and see if
I get CC'd.
-Toshi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090729/ab9f3fd8/attachment.sig>
More information about the fedora-devel-list
mailing list