[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)

On 07/29/2009 01:59 AM, Till Maas wrote:
> On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote:
>> It was in my post to the last thread::
>> """
>> Is someone in a position to verify whether setting security flags on a
>> bug prevents someone who would be put in the CC list by the default cc
>> attribute would or would not let people see those bugs?  Is someone in a
>> position to tell me if watching a person in bugzilla would also let you
>> violate this?
>> """
>> I think people are generally amenable to autoapproving CC to
>> watchbugzilla as long as security bugs do not send updates out to random
>> people who have signed up to be CC'd.  Knowing just how security bugs
>> work allows us to evaluate what the risks are.
> How about just test this? Is the following what to think may cause trouble?
> 1) Security bug 12345 against package foo is created
> 2) Alice requests watchbugzilla for package foo
> 3) Alice can now watch bug 12345
Reverse steps 1 and 2.

> We can test this with this bug I marked as security sensitive:
> https://bugzilla.redhat.com/show_bug.cgi?id=472110
> You can now apply for watchbugzilla here:
> https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount
> According to the Bugzilla docs, only people that are already on the CC
> list can access restricted bugs, and this can also be disabled:
> http://www.bugzilla.org/docs/tip/en/html/groups.html
> | By default, bugs can also be seen by the Assignee, the Reporter, and by
> | everyone on the CC List, regardless of whether or not the bug would
> | typically be viewable by them. Visibility to the Reporter and CC List
> | can be overridden (on a per-bug basis) by bringing up the bug, finding
> | the section that starts with "Users in the roles selected below..."  and
> | un-checking the box next to either 'Reporter' or 'CC List' (or both). 
This implies that autoapproving watchbugzilla would allow people to see
security bugs.

Is the same thing true of watching a person?  till, I'm now watching
till-opensource.name, if you want to open a new security bug and see if
I get CC'd.


Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]