[RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb

[Toshio Kuratomi]

On 07/06/2009 11:28 AM, Todd Zullinger wrote:
> Tom Lane wrote:
>> Peter Lemenkov <lemenkov at gmail.com> writes:
>>> Why we should approve manually requests to watching bugzilla and
>>> cvs changes for packages? I'm sure we need to change policy in
>>> order to automatically approve all such requests.
>>
>> Isn't there a security issue there?  I'm not sure I want any random
>> person watching every bz or commit I make.
> 
> I _think_ watchbugzilla could have security risks, as anyone with that
> privilege would see potentially security-sensitive bugs.
> 
> I'm not sure I see what issue there would be with watchcommits.
> Anyone random person can watch every commit you make right now, they
> just have to subscribe to fedora-extras-commits and filter things on
> your name.  Generally, I think more people watching every one else's
> commits makes for better security.
> 
> Of course, I could be missing something that watchcommits grants which
> could be a real security risk.  And I'm happy to be enlightened in
> that case.
> 
Nope, autoapproval of watchcommits shouldn't add any problems.  I want
to make the pkgdb UI less cluttered, though, and give people a choice
between signing up to watch everything about a package or nothing by
default.  Separating only giving autoapproval to one of these but not
the other doesn't help much.

Is someone in a position to verify whether setting security flags on a
bug prevents someone who would be put in the CC list by the default cc
attribute would or would not let people see those bugs?  Is someone in a
position to tell me if watching a person in bugzilla would also let you
violate this?

-Toshio


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090706/a774d24c/attachment.sig>