Just to circle back to this (since I finally have time to catch up on
email), and since the ticket was private:
We hotfixed a fix for this right after it was noticed and now it's
in the upstream pagure-dist-git release as well.
Only admins of a package can orphan it.
Let us know if you see any
The real issue is not orphaning itself but the possibility to take the
package right away and get full access access for any package in the
distribution.
On Thu, Mar 18, 2021 at 2:46 PM Kalev Lember wrote:
>
> On 3/18/21 11:29, Pavel Zhukov wrote:
> > Even worse. Every packager (not a member of p
On 3/18/21 11:29, Pavel Zhukov wrote:
Even worse. Every packager (not a member of package) is able to orphan
*any* package and drop the main admin there. Just verified it.
I went ahead and filed this as
https://pagure.io/fedora-infrastructure/issue/9745
--
Kalev
_
Even worse. Every packager (not a member of package) is able to orphan
*any* package and drop the main admin there. Just verified it.
On Thu, Mar 18, 2021 at 11:25 AM Miro Hrončok wrote:
>
> On 18. 03. 21 11:14, Pavel Zhukov wrote:
> > So... Looks like the ex-admin of the package was able to orph
On 18. 03. 21 11:14, Pavel Zhukov wrote:
So... Looks like the ex-admin of the package was able to orphan one
somehow and by doing this drop the current admin from the member
list. Looks like a bug if not a security hole for me.
An "admin" can remove admins. I don't think that is necessarily a
So... Looks like the ex-admin of the package was able to orphan one
somehow and by doing this drop the current admin from the member
list. Looks like a bug if not a security hole for me.
On Thu, Mar 18, 2021 at 11:07 AM Miro Hrončok wrote:
>
> On 18. 03. 21 11:03, Pavel Zhukov wrote:
> > landgr
On 18. 03. 21 11:03, Pavel Zhukov wrote:
landgraf (it's me) have not done this :) and pavlix transferred the
package to me ~3 years ago.
I've been the default bug assignee for this component since then.
In that case, no idea. The pagure admins might have some kind of information
about who made
landgraf (it's me) have not done this :) and pavlix transferred the
package to me ~3 years ago.
I've been the default bug assignee for this component since then.
On Thu, Mar 18, 2021 at 10:59 AM Miro Hrončok wrote:
>
> On 18. 03. 21 10:48, Pavel Zhukov wrote:
> > I've got an email from bugzilla a
On 18. 03. 21 10:48, Pavel Zhukov wrote:
I've got an email from bugzilla and noticed that the cyrus-imapd
package was orphaned and pagure confirmed that.
The package was built in rawhide, upgraded to the newest version and
there are not fail to install bugs opened. So the reason for this
action i