[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)



On Wednesday 29 July 2009 14:00:23 Jon Stanley wrote:
> On Wed, Jul 29, 2009 at 4:59 AM, Till Maas<opensource till name> wrote:
> > According to the Bugzilla docs, only people that are already on the CC
> > list can access restricted bugs, and this can also be disabled:
>
> Correct - but everyone that has watchbugzilla is put on the CC list
> when the bug is created.  Therefore, if I create a new security bug
> tomorrow, and Joe Random has watchbugzilla and is therefore on the CC
> list, he'll be able to see that bug.

So are there any rules to decide who is allowed to get watchbugzilla for any 
package? How do you decide who is allowed to get watchbugzilla for a package?

In case of very secret security bugs, how do you know that anyone on the 
watchbugzilla list is legitimate?

How about just creating these kind of bugs in the "Security Response" product 
and then select manually who is allowed to see the bug?

Nevertheless, how about making autoapprovment default but give package owners 
an option to opt out? So if there are package maintainers who have any policy 
about who is allowed to get watchbugzilla, then they can enforce it.

Regards
Till

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]