Closed Bug 1059291 Opened 10 years ago Closed 10 years ago

Add MozillaWiki module peers to security group for Websites :: wiki.mozilla.org

Categories

(bugzilla.mozilla.org :: Administration, task)

Product:
bugzilla.mozilla.org
Component:
Administration
Version:
Production
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: GPHemsley, Assigned: glob)

References

(
URL
)

Details

The MozillaWiki module peers should be able to have access to the security-flagged bugs filed in Websites :: wiki.mozilla.org.
Flags: needinfo?(dveditz)
oops; accidentally submitted too soon.

dveditz: can you please look at this request and take any action if required?

thanks :)
Is there already a bugzilla group "MozillaWiki module peers", or is there a list of names somewhere? Since we only have one "website-security" access level do we need to create a separate mozillawiki-security group or are all the mozillawiki peers trusted to see all of the Mozilla website bugs?

Is there an alternate solution such as the peers being default CC'd on all mozillawiki bugs, so that they'd automatically have access to any that were marked as security bugs? Or a subset of the peers (like the owner) that could have default access and CC others as necessary? Or have someone on the web security team (such as Curtis) do so as web security bugs are regularly triaged?

For client security bug access we usually rely on the repeated need to CC people on security bugs to give them access as a good signal that person should get default access. Are there really that many mozillawiki security bugs or is this merely an occasional thing?

I can at least CC you on the current bugs while these details about ongoing are worked out.
Flags: needinfo?(dveditz)
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is there already a bugzilla group "MozillaWiki module peers", or is there a
> list of names somewhere?

there isn't a mozilla-wiki specific bugzilla group.
needinfo'ing gordon for the list of peers.

> Since we only have one "website-security" access
> level do we need to create a separate mozillawiki-security group or are all
> the mozillawiki peers trusted to see all of the Mozilla website bugs?

because groups security is at a product level, applying per-website security groups would require creating a new product for each website (which is more overhead than i'm willing to take on).

> Is there an alternate solution such as the peers being default CC'd on all
> mozillawiki bugs, so that they'd automatically have access to any that were
> marked as security bugs?

i think this is probably the best way forward here.

note- a default cc list is only applied at bug creation time, so taking this route means any bugs miss-filed and moved into the mozillawiki component would not be visible to the wiki peers without someone manually cc'ing them.

> Are there really that many mozillawiki security bugs or is this merely an occasional thing?

https://bugzilla.mozilla.org/buglist.cgi?f1=bug_group&o1=isnotempty&resolution=---&query_format=advanced&component=wiki.mozilla.org&product=Websites

looks occasional to me.
Flags: needinfo?(gphemsley)
(In reply to Byron Jones ‹:glob› from comment #3)
> (In reply to Daniel Veditz [:dveditz] from comment #2)
> > Is there already a bugzilla group "MozillaWiki module peers", or is there a
> > list of names somewhere?
> 
> there isn't a mozilla-wiki specific bugzilla group.
> needinfo'ing gordon for the list of peers.

The peers are CC'd here:

Christie Koehler (owner)
Gordon P. Hemsley (peer) (me)
Lyre Calliope (peer)

> > Since we only have one "website-security" access
> > level do we need to create a separate mozillawiki-security group or are all
> > the mozillawiki peers trusted to see all of the Mozilla website bugs?
> 
> because groups security is at a product level, applying per-website security
> groups would require creating a new product for each website (which is more
> overhead than i'm willing to take on).

We have actually been contemplating requesting our own product, if that helps.

> > Is there an alternate solution such as the peers being default CC'd on all
> > mozillawiki bugs, so that they'd automatically have access to any that were
> > marked as security bugs?
> 
> i think this is probably the best way forward here.
> 
> note- a default cc list is only applied at bug creation time, so taking this
> route means any bugs miss-filed and moved into the mozillawiki component
> would not be visible to the wiki peers without someone manually cc'ing them.

That works for now, I suppose. (Though we actually had a bug on file to do that and it was recommended to use Component Watching instead. Just FTR.)

> > Are there really that many mozillawiki security bugs or is this merely an occasional thing?
> 
> https://bugzilla.mozilla.org/buglist.
> cgi?f1=bug_group&o1=isnotempty&resolution=---
> &query_format=advanced&component=wiki.mozilla.org&product=Websites
> 
> looks occasional to me.

Agreed, from what I've been CC'd on. And I expect the number to go down even more once bug 1032351 is fixed.
Flags: needinfo?(gphemsley)
(In reply to Gordon P. Hemsley [:GPHemsley] from comment #4)
> > > Is there an alternate solution such as the peers being default CC'd on all
> > > mozillawiki bugs, so that they'd automatically have access to any that were
> > > marked as security bugs?
> > 
> > i think this is probably the best way forward here.
> 
> That works for now, I suppose.

Changes to the component wiki.mozilla.org have been saved:
  Default CC list updated to ckoehler@mozilla.com, gphemsley@gphemsley.org, lyre.calliope@gmail.com
Assignee: nobody → glob
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
See Also: → 1087838
You need to log in before you can comment on or make changes to this bug.