[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)



On 07/29/2009 01:59 AM, Till Maas wrote:
> On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote:
> 
>> It was in my post to the last thread::
>> """
>> Is someone in a position to verify whether setting security flags on a
>> bug prevents someone who would be put in the CC list by the default cc
>> attribute would or would not let people see those bugs?  Is someone in a
>> position to tell me if watching a person in bugzilla would also let you
>> violate this?
>> """
>>
>> I think people are generally amenable to autoapproving CC to
>> watchbugzilla as long as security bugs do not send updates out to random
>> people who have signed up to be CC'd.  Knowing just how security bugs
>> work allows us to evaluate what the risks are.
> 
> How about just test this? Is the following what to think may cause trouble?
> 
> 1) Security bug 12345 against package foo is created
> 2) Alice requests watchbugzilla for package foo
> 3) Alice can now watch bug 12345
> 
Reverse steps 1 and 2.

> We can test this with this bug I marked as security sensitive:
> https://bugzilla.redhat.com/show_bug.cgi?id=472110
> 
> You can now apply for watchbugzilla here:
> https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount
> 
> According to the Bugzilla docs, only people that are already on the CC
> list can access restricted bugs, and this can also be disabled:
> 
> http://www.bugzilla.org/docs/tip/en/html/groups.html
> 
> | By default, bugs can also be seen by the Assignee, the Reporter, and by
> | everyone on the CC List, regardless of whether or not the bug would
> | typically be viewable by them. Visibility to the Reporter and CC List
> | can be overridden (on a per-bug basis) by bringing up the bug, finding
> | the section that starts with "Users in the roles selected below..."  and
> | un-checking the box next to either 'Reporter' or 'CC List' (or both). 
> 
This implies that autoapproving watchbugzilla would allow people to see
security bugs.

Is the same thing true of watching a person?  till, I'm now watching
till-opensource.name, if you want to open a new security bug and see if
I get CC'd.

-Toshi

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]