On Wed, 2009-04-22 at 14:31 +1000, Rodd Clarkson wrote: > On Tue, 2009-04-21 at 17:43 -0700, Adam Williamson wrote: > > On Tue, 2009-04-21 at 17:16 -0700, Jesse Keating wrote: > > > On Wed, 2009-04-22 at 06:45 +0800, Basil Mohamed Gohar wrote: > > > > I agree, actually. Can poorly-authenticated access to Bugzilla really > > > > cause such a degree of havoc? > > > > > > It can leak NDA information from Red Hat partners to non-Red Hat folks, > > > which could cause Red Hat to be sued. > > > > So, another Red Hat issue affecting Fedora. :\ I presume the enhanced > > busybodying can't only be enforced on the accounts which can actually > > access restricted info? > > Ah, I'm a little confused. > > All that was requested was a change of password. This doesn't stop Joe > Public from signing up and accessing bugzilla, and presumably doesn't > stop Joe from viewing leaky NDA's. > > All it seems to do is make me have to change a password. The point is that some accounts in Bugzilla have access to read special bugs (containing NDA and CVE information), and so we have to enforce strong security standards on all Bugzilla accounts, if my presumption that it can't be done only for those accounts is correct. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
