On 07/29/2009 01:59 AM, Till Maas wrote: > On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote: > >> It was in my post to the last thread:: >> """ >> Is someone in a position to verify whether setting security flags on a >> bug prevents someone who would be put in the CC list by the default cc >> attribute would or would not let people see those bugs? Is someone in a >> position to tell me if watching a person in bugzilla would also let you >> violate this? >> """ >> >> I think people are generally amenable to autoapproving CC to >> watchbugzilla as long as security bugs do not send updates out to random >> people who have signed up to be CC'd. Knowing just how security bugs >> work allows us to evaluate what the risks are. > > How about just test this? Is the following what to think may cause trouble? > > 1) Security bug 12345 against package foo is created > 2) Alice requests watchbugzilla for package foo > 3) Alice can now watch bug 12345 > Reverse steps 1 and 2. > We can test this with this bug I marked as security sensitive: > https://bugzilla.redhat.com/show_bug.cgi?id=472110 > > You can now apply for watchbugzilla here: > https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount > > According to the Bugzilla docs, only people that are already on the CC > list can access restricted bugs, and this can also be disabled: > > http://www.bugzilla.org/docs/tip/en/html/groups.html > > | By default, bugs can also be seen by the Assignee, the Reporter, and by > | everyone on the CC List, regardless of whether or not the bug would > | typically be viewable by them. Visibility to the Reporter and CC List > | can be overridden (on a per-bug basis) by bringing up the bug, finding > | the section that starts with "Users in the roles selected below..." and > | un-checking the box next to either 'Reporter' or 'CC List' (or both). > This implies that autoapproving watchbugzilla would allow people to see security bugs. Is the same thing true of watching a person? till, I'm now watching till-opensource.name, if you want to open a new security bug and see if I get CC'd. -Toshi
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
