| Summary: | Should infra-gitbot be allowed to post to security-restricted bugs? | ||
|---|---|---|---|
| Product: | Gentoo Infrastructure | Reporter: | Robin Johnson <robbat2> |
| Component: | Bugzilla | Assignee: | Bugzilla Admins <bugzilla> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | mgorny, security |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Robin Johnson
2018-04-24 21:23:22 UTC
I don't really see a problem in allowing access to restricted bugs. It's running on our Infra, and is limited in operation. I don't think it can expose any information from restricted bugs (I don't think Bugzilla includes any of that in error messages). The only potential risk would be allowing people to post comments on those bugs but we generally control who can commit and I don't really see why anyone would want to do that. (In reply to Robin Johnson from comment #0) > Recently, a commit was made referencing a security bug that was private at > the time. No automated posting was made by the Git bot because it did not > have access to the bug. > > https://bugs.gentoo.org/653834 > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=b0a071f5a9927a03d91b853610dbbe3c7e767d73 > > How should this be handled in future? > - status quo: lose the bug comment. > - allow gitbot access to restricted bugs? > - queue the message for later? (requires building a queuing system, which we > need anyway > > This same question needs to be raised for other classes of restricted bugs. status quo or let the bot comment is fine by me. The developers should know by now that most embargoes have various restrictions. Additionally, we cover the restrictions in the comments during the opening of the bug or shortly thereafter. |