On 07/06/2009 11:28 AM, Todd Zullinger wrote: > Tom Lane wrote: >> Peter Lemenkov <lemenkov@xxxxxxxxx> writes: >>> Why we should approve manually requests to watching bugzilla and >>> cvs changes for packages? I'm sure we need to change policy in >>> order to automatically approve all such requests. >> >> Isn't there a security issue there? I'm not sure I want any random >> person watching every bz or commit I make. > > I _think_ watchbugzilla could have security risks, as anyone with that > privilege would see potentially security-sensitive bugs. > > I'm not sure I see what issue there would be with watchcommits. > Anyone random person can watch every commit you make right now, they > just have to subscribe to fedora-extras-commits and filter things on > your name. Generally, I think more people watching every one else's > commits makes for better security. > > Of course, I could be missing something that watchcommits grants which > could be a real security risk. And I'm happy to be enlightened in > that case. > Nope, autoapproval of watchcommits shouldn't add any problems. I want to make the pkgdb UI less cluttered, though, and give people a choice between signing up to watch everything about a package or nothing by default. Separating only giving autoapproval to one of these but not the other doesn't help much. Is someone in a position to verify whether setting security flags on a bug prevents someone who would be put in the CC list by the default cc attribute would or would not let people see those bugs? Is someone in a position to tell me if watching a person in bugzilla would also let you violate this? -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
