Closed
Bug 348704
Opened 18 years ago
Closed 16 years ago
bmo customization for "anyone set security bit" needs to be updated
Categories
(bugzilla.mozilla.org :: General, defect)
bugzilla.mozilla.org
General
Tracking
()
RESOLVED
FIXED
People
(Reporter: reed, Assigned: reed)
References
()
Details
Attachments
(1 file)
9.86 KB,
patch
|
Details | Diff | Splinter Review |
The bmo customization for allowing anybody to set the security bit needs to be updated. + [% IF product == "Bugzilla" OR product == "Webtools" %] + [% sec_bit = 12 %] [%# Webtools security group %] + [% ELSIF product == "Update" %] + [% sec_bit = 23 %] [%# Update security group %] + [% ELSE %] + [% sec_bit = 2 %] [%# Standard security group %] + [% END %] "Update" has been renamed to "addons.mozilla.org". Shouldn't the "mozilla.org" product default to "mozorgconfidential" group? Also, what about "Websites" component? It should not use the standard security group. There may be others to change, too.
mozilla.org should not default to mozorgconfidential, then i couldn't see bugs there! :(
Comment 2•18 years ago
|
||
Dan: thoughts?
Comment 3•18 years ago
|
||
I'm with Reed on the mozilla.org product. If timeless's resulting lack of access is a problem then fix *that*, don't stuff a bunch of bugs in the wrong group for everyone else. He could be the default QA assignee for the BMO components (myk's probably not right anymore) or add him to the group if he really ought to be seeing them. What is mozilla.org confidential for if not mozilla.org stuff? Websites and Marketing should probably be mozillaorgconfidential also. Or maybe this "Mozillion Confidential" thing I see I'm a member of? what the heck is that one? What's the Testopia product? maybe that's webtools security.
testopia would be webtools in my book. what would it take to get me added to mozilla.org confidential? :)
Comment 5•18 years ago
|
||
Mozillion was a marketing campaign which never really happened; I don't know how it got a security group of its own. It currently only has one bug in it, a "Welcome to Mozillion" bug. I think we can get rid of it. mozorgconfidential is currently being used for confidential bugs of a type which timeless (among many other people) should not have access to. Please don't add new members to that group. If we need new security groups for various projects (such as the website) then let's create them. Gerv
Comment 6•18 years ago
|
||
The group mozillionconfidential has been deleted. I moved its sole bug into Marketing Private for now (not that it really needs to be their either, but I don't know how much they needed to be public ;) If for some reason it needs to be resurrected, I did save a copy of the membership list before nuking it.
Comment 7•18 years ago
|
||
OK, we have two distinct sets of webtools now which are actively maintained by differing sets of folks, and a couple minor divisions in each of those groups. "Classic Webtools" all the perl-based stuff: Bugzilla, Bonsai, Tinderbox, LXR, Mozbot, Testopia, etc. "Recently-created* Webtools" all the php-based new stuff in the last couple years:, Spreadfirefox, Addons, AUS, MDC, each of these seems to have a distinct set of people maintaining them. The latter group may be worthy of a few separate security groups. Bugzilla is also increasingly heading off in its own direction, with very little overlap in development resources between it and the rest of the classic webtools. People in the main Mozilla security group are more likely to fix Tinderbox and Bonsai bugs than people in webtools-security these days. The folks in webtools-security are mostly comprised of Bugzilla hackers. Overlap between Bugzilla and Testopia makes sense still, because Testopia is an add-on for Bugzilla. There is already a mozillacomconfidential group, which is currently only used for the Websites product (mozilla.com stuff in particular). This is kind of confusing with mozillaorgconfidential also being used, and the mozillaorg one is the one all the employees can see, and is used for stuff in the mozilla.org product (but only for company-confidential stuff, not for security bugs). Any comments from the peanut gallery? What set of security groups do we want and which products should they map to when people click the "this is a security issue" checkbox?
We already have an AMO security bug, which for historical reasons is named "update-security" or some such.
Comment 9•18 years ago
|
||
Here's a suggested plan: - Split off Bugzilla/Testopia into bugzilla-security - Merge update-security and webtools-security into web-security, and use it for all other web tools and web site security issues - Keep the current security group as-is for holes in other Mozilla products - Keep Marketing Private for marketing (perhaps renaming it, for consistency, to "marketing-private") - Keep mozillacomconfidential, perhaps renamed as "mozilla-com-private", for Mozilla Corporation stuff (transplanting any stuff misfiled into mozillaorgconfidential) - Leave mozillaorgconfidential (mozilla-org-private) for now Are any other groups needed? In addition, the local hack we use for allocating security bugs to groups should use product IDs, not product names. :-) Gerv
Assignee | ||
Updated•18 years ago
|
QA Contact: myk → reed
Assignee | ||
Comment 10•17 years ago
|
||
Assigning to me, as per discussion with Gerv. I still need the final list of security groups.
Assignee: justdave → reed
Comment 11•17 years ago
|
||
Reed: I'm still having a chat with dveditz, who hit a problem with Bugzilla recently which made him concerned about the impact of any changes. I'll post here when that's resolved, then you can make the patch, and when it's ready to go we can do the group changes in b.m.o. itself. Gerv
Assignee | ||
Comment 12•17 years ago
|
||
Now that bug 303183 has been fixed and bmo has been upgraded to have that patch, we can move forward on this.
Depends on: 303183
Assignee | ||
Comment 13•17 years ago
|
||
Plan of action, as proposed by gerv, dveditz, and me (includes a change as per bug 399841): Plan version 0.3b: - Keep the current "security" group as-is, for holes in Mozilla products such as Firefox and Thunderbird. No change in membership. [Products: all in Client Software and Components classifications] - Split off Bugzilla/Testopia into a new "bugzilla-security" group, with members being drawn from the existing Bugzilla project security group, security@bugzilla.org (13 people). [Products: Bugzilla, Testopia] - "webtools-security" continues to deal with the remaining webtools. No change in membership. [Product: AUS, Webtools] - "websites-security" is created to deal with websites, with members being drawn from the website-drivers@mozilla.org mailing list. [Product: Websites] - "update-security", renamed to "addons-security", becomes used for addons issues (both the servers and the addons themselves). No change in membership. security and webtools-security groups are no longer inherited. [Product: addons.mozilla.org] Other renames: "Marketing Private" -> "marketing-private" "mozillacomconfidential" -> "mozilla-com-private" "mozillaorgconfidential" -> "mozilla-org-private" (There may be some moving of bugs between these groups to put them in the right place.)
Blocks: 399841
Status: NEW → ASSIGNED
Assignee | ||
Comment 14•17 years ago
|
||
justdave, what do you think of the plan? Do you have any changes you would like to make? Is it satisfactory to you?
Comment 15•16 years ago
|
||
Ok, so, one thing I'd really like to see is the idea that we have groups for _people_ and groups for _bug access_. Inheritance is powerful here, and its easier to maintain in general, IMO. We can get as fine-grained as we need to be, but keep it easy to give groups of people the right amount of access.
Assignee | ||
Comment 16•16 years ago
|
||
WIP patch on adding support for the new groups and aliasing the old group names to the new ones. Untested.
Assignee | ||
Comment 17•16 years ago
|
||
This has been done.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•