ANNOUNCE: Review requests
Dave Lawrence
dkl at redhat.com
Fri Mar 18 20:58:05 UTC 2005
Matthew Miller wrote:
>On Fri, Mar 18, 2005 at 06:47:16PM +0100, Enrico Scholz wrote:
>
>
>>* you need a strong authentication for the actions causing certain actions
>> (e.g. QA decisions leading to package-builds, tickets which will be
>> autobuilt (e.g. updates of "trusted" people)). This is required as an
>> automated packagebuild and -publication process is extremely attractive
>> for attackers (IMO).
>>
>>
>
>Bugzilla *could* have better authentication, though. I believe the auth
>stuff is now all modularized.
>
>
>
Yes. It supports auth though several different methods.
>>* Bugzilla does not have an authorisation system for the ticket lifecycle
>> (e.g. only owner of ticket can verify final build)
>>
>>
>
>I can see how having that would be good, so that good practices are
>actually enforced.
>
>
>
You could do this on the application level using special permission
groups. This is how we enforce workflow here at RH.
>>* Bugzilla does not have a voting system with authentication
>>
>>
>
>Hmmm. Would this really be helpful?
>
>
>
>>* Bugzilla is unsafe as authentication happens by a predicatable
>> login_cookie (small integer increased by one at every login).
>>
>>
>
>However, this login_cookie is tied to IP address, so while that's still bad,
>it's not as horrible as it sounds. (Oh, I see comments from you in the
>bugzilla bug about this already.) Anyway, not that I'm volunteering right
>now, but I don't think it'd be a herculean effort to make it work in a Whol
>Different Way.
>
>
>
>
Yeah it is not optimal. It is tied to the IP address which helps some.
There is work in the BZ community to switch to unique hashes as the
identifier but this is not widely used yet. I hope to switch our over to
that when it has had some good testing.
Dave
--
-------------------------------
David Lawrence <dkl at redhat.com>
Red Hat Quality Assurance
-------------------------------
www.redhat.com ftp.redhat.com
More information about the fedora-extras-list
mailing list