Jeff Fearn replied to my email, but he only copied the internal bugzilla-list, because he wanted to include security details and didn't feel comfortable doing that on a public list. I've selected the most important parts of his replies and deleted the rest. Please see his responses below:
On Wed, Feb 9, 2022 at 1:37 PM Jeff Fearn <jfe...@redhat.com> wrote: > On 9/2/2022 20:33, Kamil Paral wrote: > > initially I (and not just me) read the email as "update to the latest > > python-bugzilla and you'll be fine". But after I played with > > bugzilla.stage, and read the announcement more carefully, it seems that > the > > only possible authentication method is now using the bugzilla api key, > i.e. > > using the username + password login is no longer possible (for API > access). > > Is that correct? > > Yes this is correct. > > > I do have several concerns regarding that. The change seems too sudden > and > > a lot of Fedora tooling interacts with bugzilla. > > This has been discussed for some time on the internal bugzilla-list. > > [snip] > > > So, basically two questions: > > 1. Why are we given so little time to react? Can this change wait at > least > > until F36 is released (around the end of April), so that the Anaconda and > > ABRT teams (as well as others) can incorporate the changes > > The time line was based on the feedback we got on bugzilla-list. > Technically it's a pretty easy change and no one raised these kinds of > issues. > > People with blockers should send a mail to bugzilla-list, or open a > ticket, with all the gory details, and we can mash it out. > > The list is better IMO because there are people from other teams who can > contribute to the discussion. > > > 2. Is there a good enough justification for completely banning > > username+password authentication? Because this will have a strong impact > on > > Fedora quality by reducing the amount of crash reports which we receive, > I > > can't imagine it any other way. > > This change is driven by security of credentials > [snip] > Based on Jeff's responses, I'd encourage teams, which own a high-impact application/tooling affected by this change and can't react quickly enough, to post into the internal bugzilla-list and discuss this issue. The deadline could be possibly extended if there are good reasons for it, it seems. Teams without access to the internal bugzilla-list can open a bugzilla ticket (against the Bugzilla product) or contact Jeff directly, I assume.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
