If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Add MozillaWiki module peers to security group for Websites :: wiki.mozilla.org

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
Administration
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: GPHemsley, Assigned: glob)

Tracking

Production

Details

(URL)

(Reporter)

Description

3 years ago
The MozillaWiki module peers should be able to have access to the security-flagged bugs filed in Websites :: wiki.mozilla.org.
(Assignee)

Updated

3 years ago
Flags: needinfo?(dveditz)
(Assignee)

Comment 1

3 years ago
oops; accidentally submitted too soon.

dveditz: can you please look at this request and take any action if required?

thanks :)
Is there already a bugzilla group "MozillaWiki module peers", or is there a list of names somewhere? Since we only have one "website-security" access level do we need to create a separate mozillawiki-security group or are all the mozillawiki peers trusted to see all of the Mozilla website bugs?

Is there an alternate solution such as the peers being default CC'd on all mozillawiki bugs, so that they'd automatically have access to any that were marked as security bugs? Or a subset of the peers (like the owner) that could have default access and CC others as necessary? Or have someone on the web security team (such as Curtis) do so as web security bugs are regularly triaged?

For client security bug access we usually rely on the repeated need to CC people on security bugs to give them access as a good signal that person should get default access. Are there really that many mozillawiki security bugs or is this merely an occasional thing?

I can at least CC you on the current bugs while these details about ongoing are worked out.
Flags: needinfo?(dveditz)
(Assignee)

Comment 3

3 years ago
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is there already a bugzilla group "MozillaWiki module peers", or is there a
> list of names somewhere?

there isn't a mozilla-wiki specific bugzilla group.
needinfo'ing gordon for the list of peers.

> Since we only have one "website-security" access
> level do we need to create a separate mozillawiki-security group or are all
> the mozillawiki peers trusted to see all of the Mozilla website bugs?

because groups security is at a product level, applying per-website security groups would require creating a new product for each website (which is more overhead than i'm willing to take on).

> Is there an alternate solution such as the peers being default CC'd on all
> mozillawiki bugs, so that they'd automatically have access to any that were
> marked as security bugs?

i think this is probably the best way forward here.

note- a default cc list is only applied at bug creation time, so taking this route means any bugs miss-filed and moved into the mozillawiki component would not be visible to the wiki peers without someone manually cc'ing them.

> Are there really that many mozillawiki security bugs or is this merely an occasional thing?

https://bugzilla.mozilla.org/buglist.cgi?f1=bug_group&o1=isnotempty&resolution=---&query_format=advanced&component=wiki.mozilla.org&product=Websites

looks occasional to me.
Flags: needinfo?(gphemsley)
(Reporter)

Comment 4

3 years ago
(In reply to Byron Jones ‹:glob› from comment #3)
> (In reply to Daniel Veditz [:dveditz] from comment #2)
> > Is there already a bugzilla group "MozillaWiki module peers", or is there a
> > list of names somewhere?
> 
> there isn't a mozilla-wiki specific bugzilla group.
> needinfo'ing gordon for the list of peers.

The peers are CC'd here:

Christie Koehler (owner)
Gordon P. Hemsley (peer) (me)
Lyre Calliope (peer)

> > Since we only have one "website-security" access
> > level do we need to create a separate mozillawiki-security group or are all
> > the mozillawiki peers trusted to see all of the Mozilla website bugs?
> 
> because groups security is at a product level, applying per-website security
> groups would require creating a new product for each website (which is more
> overhead than i'm willing to take on).

We have actually been contemplating requesting our own product, if that helps.

> > Is there an alternate solution such as the peers being default CC'd on all
> > mozillawiki bugs, so that they'd automatically have access to any that were
> > marked as security bugs?
> 
> i think this is probably the best way forward here.
> 
> note- a default cc list is only applied at bug creation time, so taking this
> route means any bugs miss-filed and moved into the mozillawiki component
> would not be visible to the wiki peers without someone manually cc'ing them.

That works for now, I suppose. (Though we actually had a bug on file to do that and it was recommended to use Component Watching instead. Just FTR.)

> > Are there really that many mozillawiki security bugs or is this merely an occasional thing?
> 
> https://bugzilla.mozilla.org/buglist.
> cgi?f1=bug_group&o1=isnotempty&resolution=---
> &query_format=advanced&component=wiki.mozilla.org&product=Websites
> 
> looks occasional to me.

Agreed, from what I've been CC'd on. And I expect the number to go down even more once bug 1032351 is fixed.
Flags: needinfo?(gphemsley)
(Assignee)

Comment 5

3 years ago
(In reply to Gordon P. Hemsley [:GPHemsley] from comment #4)
> > > Is there an alternate solution such as the peers being default CC'd on all
> > > mozillawiki bugs, so that they'd automatically have access to any that were
> > > marked as security bugs?
> > 
> > i think this is probably the best way forward here.
> 
> That works for now, I suppose.

Changes to the component wiki.mozilla.org have been saved:
  Default CC list updated to ckoehler@mozilla.com, gphemsley@gphemsley.org, lyre.calliope@gmail.com
Assignee: nobody → glob
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Updated

3 years ago
See Also: → bug 1087838
You need to log in before you can comment on or make changes to this bug.