[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: No more Bugzilla for me



On Wed, 2009-04-22 at 14:31 +1000, Rodd Clarkson wrote:
> On Tue, 2009-04-21 at 17:43 -0700, Adam Williamson wrote:
> > On Tue, 2009-04-21 at 17:16 -0700, Jesse Keating wrote:
> > > On Wed, 2009-04-22 at 06:45 +0800, Basil Mohamed Gohar wrote:
> > > > I agree, actually.  Can poorly-authenticated access to Bugzilla really 
> > > > cause such a degree of havoc?
> > > 
> > > It can leak NDA information from Red Hat partners to non-Red Hat folks,
> > > which could cause Red Hat to be sued.
> > 
> > So, another Red Hat issue affecting Fedora. :\ I presume the enhanced
> > busybodying can't only be enforced on the accounts which can actually
> > access restricted info?
> 
> Ah, I'm a little confused.
> 
> All that was requested was a change of password.  This doesn't stop Joe
> Public from signing up and accessing bugzilla, and presumably doesn't
> stop Joe from viewing leaky NDA's.
> 
> All it seems to do is make me have to change a password.

The point is that some accounts in Bugzilla have access to read special
bugs (containing NDA and CVE information), and so we have to enforce
strong security standards on all Bugzilla accounts, if my presumption
that it can't be done only for those accounts is correct.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]