ANNOUNCE: Review requests
enrico.scholz at informatik.tu-chemnitz.de
Fri Mar 18 17:47:16 UTC 2005
gdk at redhat.com (Greg DeKoenigsberg) writes:
> [... using Bugzilla for fedora.us-like QA-style ...]
> Maybe we should ask the hostile parties to explain, so it doesn't seem
> like an arbitrary decision?
Bugzilla is good for post-release QA. But when you integrate QA in
a pre-release process which leads to automatic package-build and
-publication, it does not suffice:
* you need a strong authentication for the actions causing certain actions
(e.g. QA decisions leading to package-builds, tickets which will be
autobuilt (e.g. updates of "trusted" people)). This is required as an
automated packagebuild and -publication process is extremely attractive
for attackers (IMO).
* Bugzilla does not have an authorisation system for the ticket lifecycle
(e.g. only owner of ticket can verify final build)
* Bugzilla does not have a voting system with authentication
* Bugzilla is unsafe as authentication happens by a predicatable
login_cookie (small integer increased by one at every login).
Perhaps you could use Bugzilla as a frontend and the real system evaluates
the GPG signed QA messages sent to a maillist. But that would cause lot of
additional work for synchronizing the Bugzilla state with this of the
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 480 bytes
Desc: not available
More information about the fedora-extras-list