[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb

On 07/06/2009 11:28 AM, Todd Zullinger wrote:
> Tom Lane wrote:
>> Peter Lemenkov <lemenkov gmail com> writes:
>>> Why we should approve manually requests to watching bugzilla and
>>> cvs changes for packages? I'm sure we need to change policy in
>>> order to automatically approve all such requests.
>> Isn't there a security issue there?  I'm not sure I want any random
>> person watching every bz or commit I make.
> I _think_ watchbugzilla could have security risks, as anyone with that
> privilege would see potentially security-sensitive bugs.
> I'm not sure I see what issue there would be with watchcommits.
> Anyone random person can watch every commit you make right now, they
> just have to subscribe to fedora-extras-commits and filter things on
> your name.  Generally, I think more people watching every one else's
> commits makes for better security.
> Of course, I could be missing something that watchcommits grants which
> could be a real security risk.  And I'm happy to be enlightened in
> that case.
Nope, autoapproval of watchcommits shouldn't add any problems.  I want
to make the pkgdb UI less cluttered, though, and give people a choice
between signing up to watch everything about a package or nothing by
default.  Separating only giving autoapproval to one of these but not
the other doesn't help much.

Is someone in a position to verify whether setting security flags on a
bug prevents someone who would be put in the CC list by the default cc
attribute would or would not let people see those bugs?  Is someone in a
position to tell me if watching a person in bugzilla would also let you
violate this?


Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]