Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote: It was in my post to the last thread:: Is someone in a position to verify whether setting security flags on a bug prevents someone who would be put in the CC list by the default cc attribute would or would not let people see those bugs? Is someone in a position to tell me if watching a person in bugzilla would also let you violate this? I think people are generally amenable to autoapproving CC to watchbugzilla as long as security bugs do not send updates out to random people who have signed up to be CC'd. Knowing just how security bugs work allows us to evaluate what the risks are. How about just test this? Is the following what to think may cause trouble? 1) Security bug 12345 against package foo is created 2) Alice requests watchbugzilla for package foo 3) Alice can now watch bug 12345 We can test this with this bug I marked as security sensitive: https://bugzilla.redhat.com/show_bug.cgi?id=472110 You can now apply for watchbugzilla here: https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount According to the Bugzilla docs, only people that are already on the CC list can access restricted bugs, and this can also be disabled: http://www.bugzilla.org/docs/tip/en/html/groups.html | By default, bugs can also be seen by the Assignee, the Reporter, and by | everyone on the CC List, regardless of whether or not the bug would | typically be viewable by them. Visibility to the Reporter and CC List | can be overridden (on a per-bug basis) by bringing up the bug, finding | the section that starts with Users in the roles selected below... and | un-checking the box next to either 'Reporter' or 'CC List' (or both). Regards Till -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/29/2009 01:59 AM, Till Maas wrote: On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote: It was in my post to the last thread:: Is someone in a position to verify whether setting security flags on a bug prevents someone who would be put in the CC list by the default cc attribute would or would not let people see those bugs? Is someone in a position to tell me if watching a person in bugzilla would also let you violate this? I think people are generally amenable to autoapproving CC to watchbugzilla as long as security bugs do not send updates out to random people who have signed up to be CC'd. Knowing just how security bugs work allows us to evaluate what the risks are. How about just test this? Is the following what to think may cause trouble? 1) Security bug 12345 against package foo is created 2) Alice requests watchbugzilla for package foo 3) Alice can now watch bug 12345 Reverse steps 1 and 2. We can test this with this bug I marked as security sensitive: https://bugzilla.redhat.com/show_bug.cgi?id=472110 You can now apply for watchbugzilla here: https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount According to the Bugzilla docs, only people that are already on the CC list can access restricted bugs, and this can also be disabled: http://www.bugzilla.org/docs/tip/en/html/groups.html | By default, bugs can also be seen by the Assignee, the Reporter, and by | everyone on the CC List, regardless of whether or not the bug would | typically be viewable by them. Visibility to the Reporter and CC List | can be overridden (on a per-bug basis) by bringing up the bug, finding | the section that starts with Users in the roles selected below... and | un-checking the box next to either 'Reporter' or 'CC List' (or both). This implies that autoapproving watchbugzilla would allow people to see security bugs. Is the same thing true of watching a person? till, I'm now watching till-opensource.name, if you want to open a new security bug and see if I get CC'd. -Toshi signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: Is the same thing true of watching a person? till, I'm now watching till-opensource.name, if you want to open a new security bug and see if I get CC'd. I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 According to bugzilla, you did not receive any mails, but only security-response-team@ rh.. Regards Till pgpkucXsdtMK9.pgp Description: PGP signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wed, Jul 29, 2009 at 07:12:00AM -0700, Toshio Kuratomi wrote: On 07/29/2009 07:05 AM, Till Maas wrote: On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: Is the same thing true of watching a person? till, I'm now watching till-opensource.name, if you want to open a new security bug and see if I get CC'd. I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 According to bugzilla, you did not receive any mails, but only security-response-team@ rh.. Confirmed. So autoapproving watchbugzilla would open up security bugs in a way that watching a person does not. According to Tomas Hoger, who replied to the bug, creating a security sensitive bug also skips initialccs, therefore there seems to be no security issue at all with autoapproving watchbugzilla in reality afaics. I also oberserved that I was not added to the CC list of the bug, which would be the default beheaviour. Regards Till pgpbri2UiUP4Y.pgp Description: PGP signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/29/2009 08:20 AM, Till Maas wrote: On Wed, Jul 29, 2009 at 07:12:00AM -0700, Toshio Kuratomi wrote: On 07/29/2009 07:05 AM, Till Maas wrote: On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: Is the same thing true of watching a person? till, I'm now watching till-opensource.name, if you want to open a new security bug and see if I get CC'd. I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 According to bugzilla, you did not receive any mails, but only security-response-team@ rh.. Confirmed. So autoapproving watchbugzilla would open up security bugs in a way that watching a person does not. According to Tomas Hoger, who replied to the bug, creating a security sensitive bug also skips initialccs, therefore there seems to be no security issue at all with autoapproving watchbugzilla in reality afaics. I also oberserved that I was not added to the CC list of the bug, which would be the default beheaviour. Okay, please test this with a package that has people on the initial CC list so we've tested precisely the behaviour people are concerned about. If the initialcclist is not set when a security bug comes in I don't think there's a reason we shouldn't auto-approve watchbugzilla in pkgdb. -Toshio signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wed, 2009-07-29 at 07:12 -0700, Toshio Kuratomi wrote: On 07/29/2009 07:05 AM, Till Maas wrote: On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: Is the same thing true of watching a person? till, I'm now watching till-opensource.name, if you want to open a new security bug and see if I get CC'd. I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 According to bugzilla, you did not receive any mails, but only security-response-team@ rh.. Confirmed. So autoapproving watchbugzilla would open up security bugs in a way that watching a person does not. Why are we not just treating this as a bug? If the privacy model is that non-privileged people should not be notified about security bugs, then non-privileged people not be notified about security bugs, no matter whether they're using watchbugzilla or watchcommits or anything else. Relying on manual filtering by not auto-approving watch requests does not smell like the right 'fix' to me - humans are fallible, after all. Shouldn't we just treat this as a bug in Bugzilla, report it, and get it fixed? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
2009/7/29 Toshio Kuratomi a.bad...@gmail.com: Okay, please test this with a package that has people on the initial CC list so we've tested precisely the behaviour people are concerned about. If the initialcclist is not set when a security bug comes in I don't think there's a reason we shouldn't auto-approve watchbugzilla in pkgdb. I think, that we should treat this as an issue - user should be added to watchlist for sensitive bugs, only if he is in commits group (which means, that he can fix security bugs). If he just in watchbugzilla, then he shouldn't see such tickets. Anyway, we should autoapprove watchcommits, at least. -- With best regards, Peter Lemenkov. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/29/2009 08:41 PM, Peter Lemenkov wrote: 2009/7/29 Toshio Kuratomi a.bad...@gmail.com: Okay, please test this with a package that has people on the initial CC list so we've tested precisely the behaviour people are concerned about. If the initialcclist is not set when a security bug comes in I don't think there's a reason we shouldn't auto-approve watchbugzilla in pkgdb. I think, that we should treat this as an issue - user should be added to watchlist for sensitive bugs, only if he is in commits group (which means, that he can fix security bugs). If he just in watchbugzilla, then he shouldn't see such tickets. AFAIK, this can't be done because there is only one initialcclist field in bugzilla. So at the bugzilla level, you can either apply the cclist or not apply the cclist. Can't have both. -Toshio signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
[RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
Hello All! Since nobody changed anything after last discussion, I repean my proposal again (if someone missed it). Why we should approve manually requests to watching bugzilla and cvs changes for packages? I'm sure we need to change policy in order to automatically approve all such requests. See previous discussions: http://thread.gmane.org/gmane.linux.redhat.fedora.devel/67465 (2007-10-26, started by Toshio Kuratomi) http://thread.gmane.org/gmane.linux.redhat.fedora.devel/94641 (2008-10-12, started by Patrice Dumas) http://thread.gmane.org/gmane.linux.redhat.fedora.devel/116848 (2009-07-06, started by me) -- With best regards, Peter Lemenkov. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
Toshio what is needed to make this happen ? FEsco need's to approve this ? On Tue, Jul 28, 2009 at 2:17 PM, Peter Lemenkovlemen...@gmail.com wrote: Hello All! Since nobody changed anything after last discussion, I repean my proposal again (if someone missed it). Why we should approve manually requests to watching bugzilla and cvs changes for packages? I'm sure we need to change policy in order to automatically approve all such requests. See previous discussions: http://thread.gmane.org/gmane.linux.redhat.fedora.devel/67465 (2007-10-26, started by Toshio Kuratomi) http://thread.gmane.org/gmane.linux.redhat.fedora.devel/94641 (2008-10-12, started by Patrice Dumas) http://thread.gmane.org/gmane.linux.redhat.fedora.devel/116848 (2009-07-06, started by me) -- With best regards, Peter Lemenkov. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list -- Itamar Reis Peixoto e-mail/msn: ita...@ispbrasil.com.br sip: ita...@ispbrasil.com.br skype: itamarjp icq: 81053601 +55 11 4063 5033 +55 34 3221 8599 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/28/2009 01:18 PM, Itamar Reis Peixoto wrote: Toshio what is needed to make this happen ? FEsco need's to approve this ? It was in my post to the last thread:: Is someone in a position to verify whether setting security flags on a bug prevents someone who would be put in the CC list by the default cc attribute would or would not let people see those bugs? Is someone in a position to tell me if watching a person in bugzilla would also let you violate this? I think people are generally amenable to autoapproving CC to watchbugzilla as long as security bugs do not send updates out to random people who have signed up to be CC'd. Knowing just how security bugs work allows us to evaluate what the risks are. -Toshio On Tue, Jul 28, 2009 at 2:17 PM, Peter Lemenkovlemen...@gmail.com wrote: Hello All! Since nobody changed anything after last discussion, I repean my proposal again (if someone missed it). Why we should approve manually requests to watching bugzilla and cvs changes for packages? I'm sure we need to change policy in order to automatically approve all such requests. See previous discussions: http://thread.gmane.org/gmane.linux.redhat.fedora.devel/67465 (2007-10-26, started by Toshio Kuratomi) http://thread.gmane.org/gmane.linux.redhat.fedora.devel/94641 (2008-10-12, started by Patrice Dumas) http://thread.gmane.org/gmane.linux.redhat.fedora.devel/116848 (2009-07-06, started by me) -- With best regards, Peter Lemenkov. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list