FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 03-07-2011, 11:20 AM
Markos Chandras
 
Default Bugzilla 4 migration

On Sun, Mar 06, 2011 at 11:55:31PM +0100, Christian Ruppert wrote:
> Dear community,
>
> our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours.
> We're going to migrate our old Bugzilla to Bugzilla-4.
> We expect our update to finish within the next hours.
>
> Some notes:
> SSL is enabled by default now, so it's forced. Unfortunately the
> option to force SSL *only* for logged in user is no longer available in
> Bugzilla-4.x. It has been added in early 3.x AFAIR and later replaced by
> forcing SSL at all or not.
> If *anybody* can't use SSL for any reason please yell so that we can
> decide if we leave it as it is (plain + encrypted) or not.
>
> All custom/Gentoo patches will be available *later* in a git repo[1].
> So if you'd like to fix something or improve the theme you can
> contribute patches.
> Thanks to Alex Legler (a3li) for the Bugzilla theme.
>
> [1]
> http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-bugzilla.git;a=summary
>
> --
> Regards,
> Christian Ruppert
> Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure
> member
> Fingerprint: EEB1 C341 7C84 B274 6C59 F243 5EAB 0C62 B427 ABC8
>

Thank you very much. New bugzie looks pretty


Regards,
--
Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2
 
Old 03-07-2011, 01:13 PM
Donnie Berkholz
 
Default Bugzilla 4 migration

On 09:51 Mon 07 Mar , Robin H. Johnson wrote:
> The Gentoo for the Bugzilla service went perfectly, a huge thanks to
> idl0r for the years of work he has put into them.

Thanks! One thing I've been very interested about in 3.x and 4.x is API
access that's better than screen-scraping. I tried using the
python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't
seem to work. Do we have anything available?

--
Thanks,
Donnie

Donnie Berkholz
Sr. Developer, Gentoo Linux
Blog: http://dberkholz.com
 
Old 03-07-2011, 01:48 PM
Tobias Klausmann
 
Default Bugzilla 4 migration

Hi!

On Mon, 07 Mar 2011, Mike Frysinger wrote:
> >> If *anybody* can't use SSL for any reason please yell so that we can
> >> decide if we leave it as it is (plain + encrypted) or not.
> >
> > Is there any *real* reason to force SSL? It is *hell* slow.
>
> it should of course be force for logging in

If it is enforced for login, it should be enforced for logged
in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
restricting the login cookie to an IP is *not* "safe enough".

Regards,
Tobias

--
Sent from aboard the Culture ship
GSV Zero Gravitas
 
Old 03-07-2011, 01:50 PM
Dane Smith
 
Default Bugzilla 4 migration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/07/2011 09:48 AM, Tobias Klausmann wrote:
> Hi!
>
> On Mon, 07 Mar 2011, Mike Frysinger wrote:
>>>> If *anybody* can't use SSL for any reason please yell so that we can
>>>> decide if we leave it as it is (plain + encrypted) or not.
>>>
>>> Is there any *real* reason to force SSL? It is *hell* slow.
>>
>> it should of course be force for logging in
>
> If it is enforced for login, it should be enforced for logged
> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> restricting the login cookie to an IP is *not* "safe enough".
>
> Regards,
> Tobias
>

First off, a big thanks to infra and all involved in the migration. It
looks awesome!

As to the SSL bit, there is *no* reason not to be using SSL for anything
that requires a username / password. And I 100% agree with Tobias. If
it's necessary to use SSL to login, it's necessary to use it for the
duration of the session. I don't know how feasible it is to do, but if
normal viewing (no login) can be left SSL free, I see no issue there.
Otherwise however, SSL should be in use.

Regards,
- --
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNdPDCAAoJEEsurZwMLhUxFtUP/istnBrfWjaj8SoHmweB5Uh8
Fblpar2tWVqqSORPV0fkXnYogXK8EbSl4eQDo6Q5LZt4OUzP2T 4rLOrrexaxL2s/
GzKYHeoEsUKAfkZa5W3bmL8ZaL0ueYFqM/ucx1r9iGEqEOIr33G3eaR3AlaovmjV
Qw/r0McPFJDxqZz+79Xl/sFTFJaDHebEKiYT9Y40m3+6Ha4EqWcZ5DLX41/kfE77
Du+hCdf5J3E29vED3qtY5FBrmzG4ILBPCXbYxW8IMbpizQAzj7 XzH8ZxjA9OvPOJ
S0kxrjQR9oFodiPETYf/vOpsHlp/D3+HECRo4Qa1OJBdkb70ci+5XHoY3GvdAKUe
MN3jCf94CSxlCyJcngWoyiu9j93l2Z3ctjq3cHo1dH4ETo686j yKFm4xBBkm4UrF
Co6c/pkX+78m2Py4hcWml+X2reYMurTC0dRG42YCW3dXRMJha6OZKIK XTf19FakL
bEd0adIK99t+N3i63yKIsd9p5SrU0H2ysJtX2wNyUVMAYnAad7 gn7SGCKCytmvAo
4R8to3O7DitfIXAAz78Zj5vwa9VIbPu8dCTV0zo2XHE5EOXfu8 7YMQYKQQU1KwXK
9Rx0ZLys+vQCJL1EhezXBRcG39ksVHI1/hytD3LMTeRRXeQLJUrE3LK64mxtEARH
f7uLbv3dNgsjbhIM7jfQ
=CxR9
-----END PGP SIGNATURE-----
 
Old 03-07-2011, 02:00 PM
Mike Frysinger
 
Default Bugzilla 4 migration

On Mon, Mar 7, 2011 at 9:48 AM, Tobias Klausmann wrote:
> On Mon, 07 Mar 2011, Mike Frysinger wrote:
>> >> If *anybody* can't use SSL for any reason please yell so that we can
>> >> decide if we leave it as it is (plain + encrypted) or not.
>> >
>> > Is there any *real* reason to force SSL? It is *hell* slow.
>>
>> it should of course be force for logging in
>
> If it is enforced for login, it should be enforced for logged
> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> restricting the login cookie to an IP is *not* "safe enough".

you're talking about two different things. imo it's more important to
protect the credentials than spoofing/replay attacks. the former is a
no brainer while the latter is fine to leave to the discretion of the
end user.
-mike
 
Old 03-07-2011, 02:35 PM
Dirkjan Ochtman
 
Default Bugzilla 4 migration

On Mon, Mar 7, 2011 at 15:13, Donnie Berkholz <dberkholz@gentoo.org> wrote:
> Thanks! One thing I've been very interested about in 3.x and 4.x is API
> access that's better than screen-scraping. I tried using the
> python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't
> seem to work. Do we have anything available?

Is that the one you get if you emerge pybugz?

The Mozilla guys made a pretty nice REST API that can be installed as a
plugin, I think. Maybe we could run that?

Cheers,

Dirkjan
 
Old 03-07-2011, 02:47 PM
Donnie Berkholz
 
Default Bugzilla 4 migration

On 16:35 Mon 07 Mar , Dirkjan Ochtman wrote:
> On Mon, Mar 7, 2011 at 15:13, Donnie Berkholz <dberkholz@gentoo.org> wrote:
> > Thanks! One thing I've been very interested about in 3.x and 4.x is API
> > access that's better than screen-scraping. I tried using the
> > python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't
> > seem to work. Do we have anything available?
>
> Is that the one you get if you emerge pybugz?

No, pybugz is a screen-scraper. We previously had Bugzilla 2 so we
couldn't do anything else.

> The Mozilla guys made a pretty nice REST API that can be installed as a
> plugin, I think. Maybe we could run that?

I've been somewhat following that too, but I don't know if anyone's
written a CLI client for it yet, whereas python-bugzilla already exists
(and has an ebuild in the sabayon overlay).

--
Thanks,
Donnie

Donnie Berkholz
Sr. Developer, Gentoo Linux
Blog: http://dberkholz.com
 
Old 03-07-2011, 06:47 PM
Michał Górny
 
Default Bugzilla 4 migration

On Mon, 7 Mar 2011 15:48:19 +0100
Tobias Klausmann <klausman@gentoo.org> wrote:

> On Mon, 07 Mar 2011, Mike Frysinger wrote:
> > >> If *anybody* can't use SSL for any reason please yell so that we
> > >> can decide if we leave it as it is (plain + encrypted) or not.
> > >
> > > Is there any *real* reason to force SSL? It is *hell* slow.
> >
> > it should of course be force for logging in
>
> If it is enforced for login, it should be enforced for logged
> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> restricting the login cookie to an IP is *not* "safe enough".

Why does everyone assume it needs to be enforced? If user is interested
in protecting his/her data, he/she can simply use https://. If he/she
is not, there is no real reason to enforce slower (and not always
supported) SSL.

It's like forcing everyone to have doors with semi-automatic locks.

--
Best regards,
Michał Górny
 
Old 03-07-2011, 07:03 PM
Christian Ruppert
 
Default Bugzilla 4 migration

On 03/07/2011 08:47 PM, Michał Górny wrote:
> On Mon, 7 Mar 2011 15:48:19 +0100
> Tobias Klausmann <klausman@gentoo.org> wrote:
>
>> On Mon, 07 Mar 2011, Mike Frysinger wrote:
>>>>> If *anybody* can't use SSL for any reason please yell so that we
>>>>> can decide if we leave it as it is (plain + encrypted) or not.
>>>>
>>>> Is there any *real* reason to force SSL? It is *hell* slow.
>>>
>>> it should of course be force for logging in
>>
>> If it is enforced for login, it should be enforced for logged
>> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
>> restricting the login cookie to an IP is *not* "safe enough".
>
> Why does everyone assume it needs to be enforced? If user is interested
> in protecting his/her data, he/she can simply use https://. If he/she
> is not, there is no real reason to enforce slower (and not always
> supported) SSL.
>
> It's like forcing everyone to have doors with semi-automatic locks.
>

*I* think it's ok if we're going to protect *our* data. Some user may
even benefit from it.
I don't see any disadvantages for our users.

--
Regards,
Christian Ruppert
Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure
member
Fingerprint: EEB1 C341 7C84 B274 6C59 F243 5EAB 0C62 B427 ABC8
 
Old 03-07-2011, 07:06 PM
Olivier Crête
 
Default Bugzilla 4 migration

On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote:
> On Mon, 7 Mar 2011 15:48:19 +0100
> Tobias Klausmann <klausman@gentoo.org> wrote:
>
> > On Mon, 07 Mar 2011, Mike Frysinger wrote:
> > > >> If *anybody* can't use SSL for any reason please yell so that we
> > > >> can decide if we leave it as it is (plain + encrypted) or not.
> > > >
> > > > Is there any *real* reason to force SSL? It is *hell* slow.
> > >
> > > it should of course be force for logging in
> >
> > If it is enforced for login, it should be enforced for logged
> > in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> > restricting the login cookie to an IP is *not* "safe enough".
>
> Why does everyone assume it needs to be enforced? If user is interested
> in protecting his/her data, he/she can simply use https://. If he/she
> is not, there is no real reason to enforce slower (and not always
> supported) SSL.

Maybe it's not to protect the user, but to protect the Gentoo
infrastructure.. And really, SSL has been supported by every browser for
the last 15 years. And it is not in any way slow or slower than non-SSL.


--
Olivier Crête
tester@gentoo.org
Gentoo Developer
 

Thread Tools




All times are GMT. The time now is 04:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org