Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff Fearn replied to my email, but he only copied the internal bugzilla-list, because he wanted to include security details and didn't feel comfortable doing that on a public list. I've selected the most important parts of his replies and deleted the rest. Please see his responses below:

On Wed, Feb 9, 2022 at 1:37 PM Jeff Fearn <jfearn@xxxxxxxxxx> wrote:
On 9/2/2022 20:33, Kamil Paral wrote:
> initially I (and not just me) read the email as "update to the latest
> python-bugzilla and you'll be fine". But after I played with
> bugzilla.stage, and read the announcement more carefully, it seems that the
> only possible authentication method is now using the bugzilla api key, i.e.
> using the username + password login is no longer possible (for API access).
> Is that correct?

Yes this is correct.

> I do have several concerns regarding that. The change seems too sudden and
> a lot of Fedora tooling interacts with bugzilla.

This has been discussed for some time on the internal bugzilla-list.

[snip]

> So, basically two questions:
> 1. Why are we given so little time to react? Can this change wait at least
> until F36 is released (around the end of April), so that the Anaconda and
> ABRT teams (as well as others) can incorporate the changes

The time line was based on the feedback we got on bugzilla-list.
Technically it's a pretty easy change and no one raised these kinds of
issues.

People with blockers should send a mail to bugzilla-list, or open a
ticket, with all the gory details, and we can mash it out.

The list is better IMO because there are people from other teams who can
contribute to the discussion.

> 2. Is there a good enough justification for completely banning
> username+password authentication? Because this will have a strong impact on
> Fedora quality by reducing the amount of crash reports which we receive, I
> can't imagine it any other way.

This change is driven by security of credentials
[snip]

Based on Jeff's responses, I'd encourage teams, which own a high-impact application/tooling affected by this change and can't react quickly enough, to post into the internal bugzilla-list and discuss this issue. The deadline could be possibly extended if there are good reasons for it, it seems. Teams without access to the internal bugzilla-list can open a bugzilla ticket (against the Bugzilla product) or contact Jeff directly, I assume.

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux