Re: Cyrus-imapd orphaned for unknown reason
Just to circle back to this (since I finally have time to catch up on email), and since the ticket was private: We hotfixed a fix for this right after it was noticed and now it's in the upstream pagure-dist-git release as well. Only admins of a package can orphan it. Let us know if you see any other behavior here. kevin signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Cyrus-imapd orphaned for unknown reason
The real issue is not orphaning itself but the possibility to take the package right away and get full access access for any package in the distribution. On Thu, Mar 18, 2021 at 2:46 PM Kalev Lember wrote: > > On 3/18/21 11:29, Pavel Zhukov wrote: > > Even worse. Every packager (not a member of package) is able to orphan > > *any* package and drop the main admin there. Just verified it. > > I went ahead and filed this as > https://pagure.io/fedora-infrastructure/issue/9745 > > -- > Kalev > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- Pavel Zhukov Software Engineer IRC: landgraf ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Cyrus-imapd orphaned for unknown reason
On 3/18/21 11:29, Pavel Zhukov wrote: Even worse. Every packager (not a member of package) is able to orphan *any* package and drop the main admin there. Just verified it. I went ahead and filed this as https://pagure.io/fedora-infrastructure/issue/9745 -- Kalev ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Cyrus-imapd orphaned for unknown reason
Even worse. Every packager (not a member of package) is able to orphan *any* package and drop the main admin there. Just verified it. On Thu, Mar 18, 2021 at 11:25 AM Miro Hrončok wrote: > > On 18. 03. 21 11:14, Pavel Zhukov wrote: > > So... Looks like the ex-admin of the package was able to orphan one > > somehow and by doing this drop the current admin from the member > > list. Looks like a bug if not a security hole for me. > > An "admin" can remove admins. I don't think that is necessarily an unexpected > permission of an admin. > > I'd argue that the security hole lies in keeping users you don't trust as > admins. > > -- > Miro Hrončok > -- > Phone: +420777974800 > IRC: mhroncok > -- Pavel Zhukov Software Engineer IRC: landgraf ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Cyrus-imapd orphaned for unknown reason
On 18. 03. 21 11:14, Pavel Zhukov wrote: So... Looks like the ex-admin of the package was able to orphan one somehow and by doing this drop the current admin from the member list. Looks like a bug if not a security hole for me. An "admin" can remove admins. I don't think that is necessarily an unexpected permission of an admin. I'd argue that the security hole lies in keeping users you don't trust as admins. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Cyrus-imapd orphaned for unknown reason
So... Looks like the ex-admin of the package was able to orphan one somehow and by doing this drop the current admin from the member list. Looks like a bug if not a security hole for me. On Thu, Mar 18, 2021 at 11:07 AM Miro Hrončok wrote: > > On 18. 03. 21 11:03, Pavel Zhukov wrote: > > landgraf (it's me) have not done this :) and pavlix transferred the > > package to me ~3 years ago. > > I've been the default bug assignee for this component since then. > > In that case, no idea. The pagure admins might have some kind of information > about who made this change somewhere in the db and/or logs, but I'm sure. > > -- > Miro Hrončok > -- > Phone: +420777974800 > IRC: mhroncok > -- Pavel Zhukov Software Engineer IRC: landgraf ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Cyrus-imapd orphaned for unknown reason
On 18. 03. 21 11:03, Pavel Zhukov wrote: landgraf (it's me) have not done this :) and pavlix transferred the package to me ~3 years ago. I've been the default bug assignee for this component since then. In that case, no idea. The pagure admins might have some kind of information about who made this change somewhere in the db and/or logs, but I'm sure. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Cyrus-imapd orphaned for unknown reason
landgraf (it's me) have not done this :) and pavlix transferred the package to me ~3 years ago. I've been the default bug assignee for this component since then. On Thu, Mar 18, 2021 at 10:59 AM Miro Hrončok wrote: > > On 18. 03. 21 10:48, Pavel Zhukov wrote: > > I've got an email from bugzilla and noticed that the cyrus-imapd > > package was orphaned and pagure confirmed that. > > The package was built in rawhide, upgraded to the newest version and > > there are not fail to install bugs opened. So the reason for this > > action is not unclear for me. > > Can somebody (Miro?) explain the reason? > > To see the reason we first need to know who orphaned it. > > I happen to have a backup of pagure_owner_alias.json from couple days ago, the > maintainers were: > > "cyrus-imapd": [ > "kanarip", > "tibbs", > "landgraf", > "pavlix", > "zdohnal" > ], > > Unfortunately I don't see who was the main admin. > > Today, landgraf and pavlix are missing. Is it possible that one of them was > the > main admin and orphaned the package? > > -- > Miro Hrončok > -- > Phone: +420777974800 > IRC: mhroncok > -- Pavel Zhukov Software Engineer IRC: landgraf ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Cyrus-imapd orphaned for unknown reason
On 18. 03. 21 10:48, Pavel Zhukov wrote: I've got an email from bugzilla and noticed that the cyrus-imapd package was orphaned and pagure confirmed that. The package was built in rawhide, upgraded to the newest version and there are not fail to install bugs opened. So the reason for this action is not unclear for me. Can somebody (Miro?) explain the reason? To see the reason we first need to know who orphaned it. I happen to have a backup of pagure_owner_alias.json from couple days ago, the maintainers were: "cyrus-imapd": [ "kanarip", "tibbs", "landgraf", "pavlix", "zdohnal" ], Unfortunately I don't see who was the main admin. Today, landgraf and pavlix are missing. Is it possible that one of them was the main admin and orphaned the package? -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Cyrus-imapd orphaned for unknown reason
I've got an email from bugzilla and noticed that the cyrus-imapd package was orphaned and pagure confirmed that. The package was built in rawhide, upgraded to the newest version and there are not fail to install bugs opened. So the reason for this action is not unclear for me. Can somebody (Miro?) explain the reason? -- Pavel Zhukov Software Engineer IRC: landgraf ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
