automatically grant watchbugzilla and watchcommits?

Toshio Kuratomi a.badger at gmail.com
Sun Oct 12 18:28:12 UTC 2008


Johan Cwiklinski wrote:
> Toshio Kuratomi a écrit :
>> When I brought this up, Bastien Nocera brought up security bugs and not
>> wanting random people to be CC'd before a security bug is resolved.  How
>> should we deal with this?
>>
>> -Toshio
>>
>>   
> Hi,
> 
> Isn't it the work of bugzilla to send security issues mails to only a
> restricted group ?
> As we cannot see these bugs in the bugzilla, I think it should not send
> us mail also... But I do not know if bugzilla permit this or not.
> 
AFAIK, bugzilla will send the security mail/allow people to see the
security bug if they are explicitly CC'd on the bug.

You are explicitly CC'd on the bug if you are given the watchbugzilla
acl in pkgdb.

> For the commits, I really do not know, but once commited, any packager
> can get the sources, that would be a "minor" issue, the security whole
> would be resolved at this time, and should come into the repositories
> quickly.
> 
<nod>  I'd like this to be consistent with the watchbugzilla acls if
possible but perhaps having watchcommits be autoapprove but not
watchbugzilla is the way to go.

> Another possibility would be to not allow automatic approval for such
> packages, maybe with an option  in the interface, and let the maintainer
> choose if he wants to allow that for his package  or not ?

It's a possibility but I don't think it's a good one.  Are we trying to
address a maintainer's concerns with such an option or are we trying to
keep security bugs private until the fix can be released?  If the latter
is the goal, making this settable per package is the wrong thing to do.

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20081012/eba3fdd3/attachment.sig>


More information about the fedora-devel-list mailing list