On Wednesday 29 July 2009 14:00:23 Jon Stanley wrote: > On Wed, Jul 29, 2009 at 4:59 AM, Till Maas<opensource till name> wrote: > > According to the Bugzilla docs, only people that are already on the CC > > list can access restricted bugs, and this can also be disabled: > > Correct - but everyone that has watchbugzilla is put on the CC list > when the bug is created. Therefore, if I create a new security bug > tomorrow, and Joe Random has watchbugzilla and is therefore on the CC > list, he'll be able to see that bug. So are there any rules to decide who is allowed to get watchbugzilla for any package? How do you decide who is allowed to get watchbugzilla for a package? In case of very secret security bugs, how do you know that anyone on the watchbugzilla list is legitimate? How about just creating these kind of bugs in the "Security Response" product and then select manually who is allowed to see the bug? Nevertheless, how about making autoapprovment default but give package owners an option to opt out? So if there are package maintainers who have any policy about who is allowed to get watchbugzilla, then they can enforce it. Regards Till
Description: This is a digitally signed message part.