When using the advanced form to file a bug, normal users don't have the necessary checkbox ("Only users in...") to restrict a bug to Gentoo Security. Also if I file a restricted bug and CC a user, he is able to access the bug, but not to modify it . Trying to post a comment results in
"Not allowed You tried to change the CC list accessible? field from 1 , but only the assignee or reporter of the bug, or a sufficiently empowered user may change that field." The checkboxes this error message complains about, are not there for normal users.
That's how the bugzilla2 security has always worked. Wait for bugzilla3 if you want anything different.
hm... then for how long has this been the case for bugs.g.o? It would mean our (firstname.lastname@example.org) one of our documented ways of confidentially contacting us has not been working. So it is really not possible for a regular user to comment on a restricted bug even if he is on the CC list? What does a user need to be able comment on those bugs then, editbugs priv? This really is a problem for our handling of restricted bugs in certain cases.
(In reply to comment #0)
> When using the advanced form to file a bug, normal users don't have the
> necessary checkbox ("Only users in...") to restrict a bug to Gentoo Security.
Yeah, thanks got they haven't any more. See Bug 122990 and don't ever introduce this back.
jakub, I very well remember the problems we had with users filing restricted bugs outside the security project... I still have a saved search for all sec restricted bugs from that time. And there really is no need for users being able to file security restricted bugs in any project but Gentoo Security.
The problem that came up is that they are not allowed to post restricted bugs in the sec product and that has been one of the ways to contact us regarding confidential issues which has been documented on security.g.o for a long time. What really makes it complicated now is that if we file a restricted bug and want to CC the original reporter on it so he can give more input, that is not possible (see bug desc).
(In reply to comment #4)
> What really makes it complicated now is that if we file a restricted bug and
> want to CC the original reporter on it so he can give more input, that is not
> possible (see bug desc).
This works perfectly fine for normal bugs, and works perfectly fine for Developer Relations product; IOW you can comment just normally if people in CC are allowed to access the bug. Why it wouldn't work for Gentoo Security product, really no idea.