[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)



On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote:

> It was in my post to the last thread::
> """
> Is someone in a position to verify whether setting security flags on a
> bug prevents someone who would be put in the CC list by the default cc
> attribute would or would not let people see those bugs?  Is someone in a
> position to tell me if watching a person in bugzilla would also let you
> violate this?
> """
> 
> I think people are generally amenable to autoapproving CC to
> watchbugzilla as long as security bugs do not send updates out to random
> people who have signed up to be CC'd.  Knowing just how security bugs
> work allows us to evaluate what the risks are.

How about just test this? Is the following what to think may cause trouble?

1) Security bug 12345 against package foo is created
2) Alice requests watchbugzilla for package foo
3) Alice can now watch bug 12345

We can test this with this bug I marked as security sensitive:
https://bugzilla.redhat.com/show_bug.cgi?id=472110

You can now apply for watchbugzilla here:
https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount

According to the Bugzilla docs, only people that are already on the CC
list can access restricted bugs, and this can also be disabled:

http://www.bugzilla.org/docs/tip/en/html/groups.html

| By default, bugs can also be seen by the Assignee, the Reporter, and by
| everyone on the CC List, regardless of whether or not the bug would
| typically be viewable by them. Visibility to the Reporter and CC List
| can be overridden (on a per-bug basis) by bringing up the bug, finding
| the section that starts with "Users in the roles selected below..."  and
| un-checking the box next to either 'Reporter' or 'CC List' (or both). 

Regards
Till


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]