ANNOUNCE: Review requests

Enrico Scholz enrico.scholz at
Fri Mar 18 17:47:16 UTC 2005

gdk at (Greg DeKoenigsberg) writes:

> [... using Bugzilla for QA-style ...]
> Maybe we should ask the hostile parties to explain, so it doesn't seem 
> like an arbitrary decision?

Bugzilla is good for post-release QA. But when you integrate QA in
a pre-release process which leads to automatic package-build and
-publication, it does not suffice:

* you need a strong authentication for the actions causing certain actions
  (e.g. QA decisions leading to package-builds, tickets which will be
  autobuilt (e.g. updates of "trusted" people)). This is required as an
  automated packagebuild and -publication process is extremely attractive
  for attackers (IMO).

* Bugzilla does not have an authorisation system for the ticket lifecycle
  (e.g. only owner of ticket can verify final build)

* Bugzilla does not have a voting system with authentication

* Bugzilla is unsafe as authentication happens by a predicatable
  login_cookie (small integer increased by one at every login).

Perhaps you could use Bugzilla as a frontend and the real system evaluates
the GPG signed QA messages sent to a maillist. But that would cause lot of
additional work for synchronizing the Bugzilla state with this of the

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <>

More information about the fedora-extras-list mailing list