Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/29/2009 08:41 PM, Peter Lemenkov wrote: > 2009/7/29 Toshio Kuratomi : >> Okay, please test this with a package that has people on the initial CC >> list so we've tested precisely the behaviour people are concerned about. >> >> If the initialcclist is not set when a security bug comes in I don't >> think there's a reason we shouldn't auto-approve watchbugzilla in pkgdb. > > I think, that we should treat this as an issue - user should be added > to watchlist for sensitive bugs, only if he is in "commits" group > (which means, that he can fix security bugs). If he just in > watchbugzilla, then he shouldn't see such tickets. > AFAIK, this can't be done because there is only one initialcclist field in bugzilla. So at the bugzilla level, you can either apply the cclist or not apply the cclist. Can't have both. -Toshio signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
2009/7/29 Toshio Kuratomi : > Okay, please test this with a package that has people on the initial CC > list so we've tested precisely the behaviour people are concerned about. > > If the initialcclist is not set when a security bug comes in I don't > think there's a reason we shouldn't auto-approve watchbugzilla in pkgdb. I think, that we should treat this as an issue - user should be added to watchlist for sensitive bugs, only if he is in "commits" group (which means, that he can fix security bugs). If he just in watchbugzilla, then he shouldn't see such tickets. Anyway, we should autoapprove watchcommits, at least. -- With best regards, Peter Lemenkov. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wed, Jul 29, 2009 at 08:37:27AM -0700, Toshio Kuratomi wrote: > Okay, please test this with a package that has people on the initial CC > list so we've tested precisely the behaviour people are concerned about. Actually there is someone on every initialcc list, but here is now a security sensitive bug filed agains bodhi and the CC list ist against empty and only Luke was notified additionally to the security response team. https://bugzilla.redhat.com/show_bug.cgi?id=514637 > If the initialcclist is not set when a security bug comes in I don't > think there's a reason we shouldn't auto-approve watchbugzilla in pkgdb. Hooray. Regards Till pgpaS4TxDP4Oz.pgp Description: PGP signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wed, 2009-07-29 at 07:12 -0700, Toshio Kuratomi wrote: > On 07/29/2009 07:05 AM, Till Maas wrote: > > On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: > > > >> Is the same thing true of watching a person? till, I'm now watching > >> till-opensource.name, if you want to open a new security bug and see if > >> I get CC'd. > > > > I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 > > According to bugzilla, you did not receive any mails, but only > > security-response-team@ rh.. > > > Confirmed. > > So autoapproving watchbugzilla would open up security bugs in a way that > watching a person does not. Why are we not just treating this as a bug? If the privacy model is that non-privileged people should not be notified about security bugs, then non-privileged people not be notified about security bugs, no matter whether they're using watchbugzilla or watchcommits or anything else. Relying on manual filtering by not auto-approving watch requests does not smell like the right 'fix' to me - humans are fallible, after all. Shouldn't we just treat this as a bug in Bugzilla, report it, and get it fixed? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/29/2009 08:20 AM, Till Maas wrote: > On Wed, Jul 29, 2009 at 07:12:00AM -0700, Toshio Kuratomi wrote: >> On 07/29/2009 07:05 AM, Till Maas wrote: >>> On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: >>> Is the same thing true of watching a person? till, I'm now watching till-opensource.name, if you want to open a new security bug and see if I get CC'd. >>> >>> I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 >>> According to bugzilla, you did not receive any mails, but only >>> security-response-team@ rh.. >>> >> Confirmed. >> >> So autoapproving watchbugzilla would open up security bugs in a way that >> watching a person does not. > > According to Tomas Hoger, who replied to the bug, creating a security > sensitive bug also skips initialccs, therefore there seems to be no > security issue at all with autoapproving watchbugzilla in reality > afaics. I also oberserved that I was not added to the CC list of the > bug, which would be the default beheaviour. > Okay, please test this with a package that has people on the initial CC list so we've tested precisely the behaviour people are concerned about. If the initialcclist is not set when a security bug comes in I don't think there's a reason we shouldn't auto-approve watchbugzilla in pkgdb. -Toshio signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wed, Jul 29, 2009 at 07:12:00AM -0700, Toshio Kuratomi wrote: > On 07/29/2009 07:05 AM, Till Maas wrote: > > On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: > > > >> Is the same thing true of watching a person? till, I'm now watching > >> till-opensource.name, if you want to open a new security bug and see if > >> I get CC'd. > > > > I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 > > According to bugzilla, you did not receive any mails, but only > > security-response-team@ rh.. > > > Confirmed. > > So autoapproving watchbugzilla would open up security bugs in a way that > watching a person does not. According to Tomas Hoger, who replied to the bug, creating a security sensitive bug also skips initialccs, therefore there seems to be no security issue at all with autoapproving watchbugzilla in reality afaics. I also oberserved that I was not added to the CC list of the bug, which would be the default beheaviour. Regards Till pgpbri2UiUP4Y.pgp Description: PGP signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/29/2009 07:05 AM, Till Maas wrote: > On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: > >> Is the same thing true of watching a person? till, I'm now watching >> till-opensource.name, if you want to open a new security bug and see if >> I get CC'd. > > I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 > According to bugzilla, you did not receive any mails, but only > security-response-team@ rh.. > Confirmed. So autoapproving watchbugzilla would open up security bugs in a way that watching a person does not. -Toshio signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote: > Is the same thing true of watching a person? till, I'm now watching > till-opensource.name, if you want to open a new security bug and see if > I get CC'd. I created https://bugzilla.redhat.com/show_bug.cgi?id=514518 According to bugzilla, you did not receive any mails, but only security-response-team@ rh.. Regards Till pgpkucXsdtMK9.pgp Description: PGP signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/29/2009 01:59 AM, Till Maas wrote: > On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote: > >> It was in my post to the last thread:: >> """ >> Is someone in a position to verify whether setting security flags on a >> bug prevents someone who would be put in the CC list by the default cc >> attribute would or would not let people see those bugs? Is someone in a >> position to tell me if watching a person in bugzilla would also let you >> violate this? >> """ >> >> I think people are generally amenable to autoapproving CC to >> watchbugzilla as long as security bugs do not send updates out to random >> people who have signed up to be CC'd. Knowing just how security bugs >> work allows us to evaluate what the risks are. > > How about just test this? Is the following what to think may cause trouble? > > 1) Security bug 12345 against package foo is created > 2) Alice requests watchbugzilla for package foo > 3) Alice can now watch bug 12345 > Reverse steps 1 and 2. > We can test this with this bug I marked as security sensitive: > https://bugzilla.redhat.com/show_bug.cgi?id=472110 > > You can now apply for watchbugzilla here: > https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount > > According to the Bugzilla docs, only people that are already on the CC > list can access restricted bugs, and this can also be disabled: > > http://www.bugzilla.org/docs/tip/en/html/groups.html > > | By default, bugs can also be seen by the Assignee, the Reporter, and by > | everyone on the CC List, regardless of whether or not the bug would > | typically be viewable by them. Visibility to the Reporter and CC List > | can be overridden (on a per-bug basis) by bringing up the bug, finding > | the section that starts with "Users in the roles selected below..." and > | un-checking the box next to either 'Reporter' or 'CC List' (or both). > This implies that autoapproving watchbugzilla would allow people to see security bugs. Is the same thing true of watching a person? till, I'm now watching till-opensource.name, if you want to open a new security bug and see if I get CC'd. -Toshi signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wednesday 29 July 2009 14:00:23 Jon Stanley wrote: > On Wed, Jul 29, 2009 at 4:59 AM, Till Maas wrote: > > According to the Bugzilla docs, only people that are already on the CC > > list can access restricted bugs, and this can also be disabled: > > Correct - but everyone that has watchbugzilla is put on the CC list > when the bug is created. Therefore, if I create a new security bug > tomorrow, and Joe Random has watchbugzilla and is therefore on the CC > list, he'll be able to see that bug. So are there any rules to decide who is allowed to get watchbugzilla for any package? How do you decide who is allowed to get watchbugzilla for a package? In case of very secret security bugs, how do you know that anyone on the watchbugzilla list is legitimate? How about just creating these kind of bugs in the "Security Response" product and then select manually who is allowed to see the bug? Nevertheless, how about making autoapprovment default but give package owners an option to opt out? So if there are package maintainers who have any policy about who is allowed to get watchbugzilla, then they can enforce it. Regards Till signature.asc Description: This is a digitally signed message part. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Wed, Jul 29, 2009 at 4:59 AM, Till Maas wrote: > According to the Bugzilla docs, only people that are already on the CC > list can access restricted bugs, and this can also be disabled: Correct - but everyone that has watchbugzilla is put on the CC list when the bug is created. Therefore, if I create a new security bug tomorrow, and Joe Random has watchbugzilla and is therefore on the CC list, he'll be able to see that bug. Yes, there is a box you can uncheck to disable this - however it's not desirable. The security team, for instance, is on the CC list, as well as any legitimate co-maintainers. The security team adds people to the CC in order to allow them to see the bug prior to it becoming public, also - so it breaks actual workflow that works today. Not a good idea, IMO. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On Tue, Jul 28, 2009 at 01:54:20PM -0700, Toshio Kuratomi wrote: > It was in my post to the last thread:: > """ > Is someone in a position to verify whether setting security flags on a > bug prevents someone who would be put in the CC list by the default cc > attribute would or would not let people see those bugs? Is someone in a > position to tell me if watching a person in bugzilla would also let you > violate this? > """ > > I think people are generally amenable to autoapproving CC to > watchbugzilla as long as security bugs do not send updates out to random > people who have signed up to be CC'd. Knowing just how security bugs > work allows us to evaluate what the risks are. How about just test this? Is the following what to think may cause trouble? 1) Security bug 12345 against package foo is created 2) Alice requests watchbugzilla for package foo 3) Alice can now watch bug 12345 We can test this with this bug I marked as security sensitive: https://bugzilla.redhat.com/show_bug.cgi?id=472110 You can now apply for watchbugzilla here: https://admin.fedoraproject.org/pkgdb/packages/name/pam_mount According to the Bugzilla docs, only people that are already on the CC list can access restricted bugs, and this can also be disabled: http://www.bugzilla.org/docs/tip/en/html/groups.html | By default, bugs can also be seen by the Assignee, the Reporter, and by | everyone on the CC List, regardless of whether or not the bug would | typically be viewable by them. Visibility to the Reporter and CC List | can be overridden (on a per-bug basis) by bringing up the bug, finding | the section that starts with "Users in the roles selected below..." and | un-checking the box next to either 'Reporter' or 'CC List' (or both). Regards Till -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
On 07/28/2009 01:18 PM, Itamar Reis Peixoto wrote: > Toshio > > what is needed to make this happen ? > > FEsco need's to approve this ? > > It was in my post to the last thread:: """ Is someone in a position to verify whether setting security flags on a bug prevents someone who would be put in the CC list by the default cc attribute would or would not let people see those bugs? Is someone in a position to tell me if watching a person in bugzilla would also let you violate this? """ I think people are generally amenable to autoapproving CC to watchbugzilla as long as security bugs do not send updates out to random people who have signed up to be CC'd. Knowing just how security bugs work allows us to evaluate what the risks are. -Toshio > > On Tue, Jul 28, 2009 at 2:17 PM, Peter Lemenkov wrote: >> Hello All! >> >> Since nobody changed anything after last discussion, I repean my >> proposal again (if someone missed it). >> >> Why we should approve manually requests to watching bugzilla and cvs >> changes for packages? I'm sure we need to change policy in order to >> automatically approve all such requests. >> >> See previous discussions: >> >> http://thread.gmane.org/gmane.linux.redhat.fedora.devel/67465 >> (2007-10-26, started by Toshio Kuratomi) >> http://thread.gmane.org/gmane.linux.redhat.fedora.devel/94641 >> (2008-10-12, started by Patrice Dumas) >> http://thread.gmane.org/gmane.linux.redhat.fedora.devel/116848 >> (2009-07-06, started by me) >> >> -- >> With best regards, Peter Lemenkov. >> >> -- >> fedora-devel-list mailing list >> fedora-devel-list@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-devel-list >> > > > signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
Toshio what is needed to make this happen ? FEsco need's to approve this ? On Tue, Jul 28, 2009 at 2:17 PM, Peter Lemenkov wrote: > Hello All! > > Since nobody changed anything after last discussion, I repean my > proposal again (if someone missed it). > > Why we should approve manually requests to watching bugzilla and cvs > changes for packages? I'm sure we need to change policy in order to > automatically approve all such requests. > > See previous discussions: > > http://thread.gmane.org/gmane.linux.redhat.fedora.devel/67465 > (2007-10-26, started by Toshio Kuratomi) > http://thread.gmane.org/gmane.linux.redhat.fedora.devel/94641 > (2008-10-12, started by Patrice Dumas) > http://thread.gmane.org/gmane.linux.redhat.fedora.devel/116848 > (2009-07-06, started by me) > > -- > With best regards, Peter Lemenkov. > > -- > fedora-devel-list mailing list > fedora-devel-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- Itamar Reis Peixoto e-mail/msn: ita...@ispbrasil.com.br sip: ita...@ispbrasil.com.br skype: itamarjp icq: 81053601 +55 11 4063 5033 +55 34 3221 8599 -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
[RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb (2nd try)
Hello All! Since nobody changed anything after last discussion, I repean my proposal again (if someone missed it). Why we should approve manually requests to watching bugzilla and cvs changes for packages? I'm sure we need to change policy in order to automatically approve all such requests. See previous discussions: http://thread.gmane.org/gmane.linux.redhat.fedora.devel/67465 (2007-10-26, started by Toshio Kuratomi) http://thread.gmane.org/gmane.linux.redhat.fedora.devel/94641 (2008-10-12, started by Patrice Dumas) http://thread.gmane.org/gmane.linux.redhat.fedora.devel/116848 (2009-07-06, started by me) -- With best regards, Peter Lemenkov. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb
On 07/06/2009 11:28 AM, Todd Zullinger wrote: > Tom Lane wrote: >> Peter Lemenkov writes: >>> Why we should approve manually requests to watching bugzilla and >>> cvs changes for packages? I'm sure we need to change policy in >>> order to automatically approve all such requests. >> >> Isn't there a security issue there? I'm not sure I want any random >> person watching every bz or commit I make. > > I _think_ watchbugzilla could have security risks, as anyone with that > privilege would see potentially security-sensitive bugs. > > I'm not sure I see what issue there would be with watchcommits. > Anyone random person can watch every commit you make right now, they > just have to subscribe to fedora-extras-commits and filter things on > your name. Generally, I think more people watching every one else's > commits makes for better security. > > Of course, I could be missing something that watchcommits grants which > could be a real security risk. And I'm happy to be enlightened in > that case. > Nope, autoapproval of watchcommits shouldn't add any problems. I want to make the pkgdb UI less cluttered, though, and give people a choice between signing up to watch everything about a package or nothing by default. Separating only giving autoapproval to one of these but not the other doesn't help much. Is someone in a position to verify whether setting security flags on a bug prevents someone who would be put in the CC list by the default cc attribute would or would not let people see those bugs? Is someone in a position to tell me if watching a person in bugzilla would also let you violate this? -Toshio signature.asc Description: OpenPGP digital signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb
Tom Lane wrote: > Peter Lemenkov writes: >> Why we should approve manually requests to watching bugzilla and >> cvs changes for packages? I'm sure we need to change policy in >> order to automatically approve all such requests. > > Isn't there a security issue there? I'm not sure I want any random > person watching every bz or commit I make. I _think_ watchbugzilla could have security risks, as anyone with that privilege would see potentially security-sensitive bugs. I'm not sure I see what issue there would be with watchcommits. Anyone random person can watch every commit you make right now, they just have to subscribe to fedora-extras-commits and filter things on your name. Generally, I think more people watching every one else's commits makes for better security. Of course, I could be missing something that watchcommits grants which could be a real security risk. And I'm happy to be enlightened in that case. -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Ever notice that even the busiest people are never too busy to tell you just how busy they are? pgpStI2L41sNR.pgp Description: PGP signature -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb
On Mon, Jul 06, 2009 at 02:14:27PM -0400, Tom Lane wrote: > Peter Lemenkov writes: > > Why we should approve manually requests to watching bugzilla and cvs > > changes for packages? I'm sure we need to change policy in order to > > automatically approve all such requests. > > Isn't there a security issue there? I'm not sure I want any random > person watching every bz or commit I make. Anyone with a BZ account can already watch every BZ you have Preferences -> Email Preferences -> Add users to my watch list pkgdb just makes it more fine grained, so you can watch individual components instead of having to find the owner and watch everything they own NB, the email watches don't allow them to snoop on bugs with restricted group visibility, so they shouldn't be able to see bugs restrict to the 'Security Sensitive Bug' group IIUC. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb
2009/7/6 Tom Lane : > Peter Lemenkov writes: >> Why we should approve manually requests to watching bugzilla and cvs >> changes for packages? I'm sure we need to change policy in order to >> automatically approve all such requests. > > Isn't there a security issue there? I'm not sure I want any random > person watching every bz or commit I make. I don't think so - right now anyone can subscribe to the Bugzilla activity of (or , or anyone else) and anyone can watch cvs commits. Adding youself to watchcommits and watchbugzilla is just another one (more convenient for Fedora members) way to monitor bugzilla and commits. -- With best regards! -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: [RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb
Peter Lemenkov writes: > Why we should approve manually requests to watching bugzilla and cvs > changes for packages? I'm sure we need to change policy in order to > automatically approve all such requests. Isn't there a security issue there? I'm not sure I want any random person watching every bz or commit I make. regards, tom lane -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
[RFE] Auto-approve watchcommits and watchbugzilla in Pkgdb
Hello All! Why we should approve manually requests to watching bugzilla and cvs changes for packages? I'm sure we need to change policy in order to automatically approve all such requests. -- With best regards! -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list