FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 03-07-2011, 08:32 PM
Fabian Groffen
 
Default Bugzilla 4 migration

On 07-03-2011 15:06:25 -0500, Olivier Crte wrote:
> Maybe it's not to protect the user, but to protect the Gentoo
> infrastructure.. And really, SSL has been supported by every browser for
> the last 15 years. And it is not in any way slow or slower than non-SSL.

but the certificate security click-through-couple-of-times before you
can access bugzilla is sort of annoying

As outsider, I don't like to accept another certificate thing, just to
view a bugtracker.


--
Fabian Groffen
Gentoo on a different level
 
Old 03-07-2011, 08:52 PM
Rich Freeman
 
Default Bugzilla 4 migration

On Mon, Mar 7, 2011 at 4:32 PM, Fabian Groffen <grobian@gentoo.org> wrote:
> As outsider, I don't like to accept another certificate thing, just to
> view a bugtracker.

When you think about it, this is a defect with your browser, and not
so much with SSL itself.

Your browser generally doesn't complain about unauthenticated
connections. It accepts unauthenticated connections that aren't
encrypted without any issues, despite these being completely open to
numerous attacks. However, your browser does complain when it makes
an unauthenticated connection that IS encrypted, even though this is
vulnerable to far fewer attacks.

Browsers shouldn't bug the user about self-signed certificates - they
should simply and clearly show that the user is connected to a host
that isn't authenticated by a trusted intermediate.

Oh, and browsers shouldn't come with root certs pre-installed by the
browser distributor either, but that is about as likely to get fixed
as the problem I just described.

In any case, I don't see poor browser design as a valid reason for
avoiding the use of SSL...

Rich
 
Old 03-07-2011, 08:59 PM
Fabian Groffen
 
Default Bugzilla 4 migration

On 07-03-2011 16:52:23 -0500, Rich Freeman wrote:
> In any case, I don't see poor browser design as a valid reason for
> avoiding the use of SSL...

Please use a MUA that properly honours Reply-To: headers. I'm on the
list.


--
Fabian Groffen
Gentoo on a different level
 
Old 03-07-2011, 09:23 PM
Mike Frysinger
 
Default Bugzilla 4 migration

On Monday, March 07, 2011 16:59:22 Fabian Groffen wrote:
> On 07-03-2011 16:52:23 -0500, Rich Freeman wrote:
> > In any case, I don't see poor browser design as a valid reason for
> > avoiding the use of SSL...
>
> Please use a MUA that properly honours Reply-To: headers. I'm on the
> list.

subscribed != receiving. there's no way of knowing who is. get over it.
-mike
 
Old 03-07-2011, 09:25 PM
Mike Frysinger
 
Default Bugzilla 4 migration

On Monday, March 07, 2011 16:32:55 Fabian Groffen wrote:
> On 07-03-2011 15:06:25 -0500, Olivier Crte wrote:
> > Maybe it's not to protect the user, but to protect the Gentoo
> > infrastructure.. And really, SSL has been supported by every browser for
> > the last 15 years. And it is not in any way slow or slower than non-SSL.
>
> but the certificate security click-through-couple-of-times before you
> can access bugzilla is sort of annoying

i heard rumors the cacert is finally going into firefox ...

> As outsider, I don't like to accept another certificate thing, just to
> view a bugtracker.

if we're only forcing *login*, then this isnt an issue
-mike
 
Old 03-08-2011, 05:50 AM
Hans de Graaff
 
Default Bugzilla 4 migration

On Mon, 2011-03-07 at 08:13 -0600, Donnie Berkholz wrote:

> Thanks! One thing I've been very interested about in 3.x and 4.x is API
> access that's better than screen-scraping. I tried using the
> python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't
> seem to work. Do we have anything available?

I've tried an ipad application that uses xmlrpc and that seemed to work
fine.

Kind regards,

Hans
 
Old 03-08-2011, 07:08 AM
Fabian Groffen
 
Default Bugzilla 4 migration

On 07-03-2011 17:25:02 -0500, Mike Frysinger wrote:
> > As outsider, I don't like to accept another certificate thing, just to
> > view a bugtracker.
>
> if we're only forcing *login*, then this isnt an issue

+1


--
Fabian Groffen
Gentoo on a different level
 
Old 03-08-2011, 01:06 PM
Donnie Berkholz
 
Default Bugzilla 4 migration

On 07:50 Tue 08 Mar , Hans de Graaff wrote:
> On Mon, 2011-03-07 at 08:13 -0600, Donnie Berkholz wrote:
>
> > Thanks! One thing I've been very interested about in 3.x and 4.x is API
> > access that's better than screen-scraping. I tried using the
> > python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't
> > seem to work. Do we have anything available?
>
> I've tried an ipad application that uses xmlrpc and that seemed to work
> fine.

Confirmed with my iphone one. Guess the Python one's broken with BZ 4.
Fiddling around manually with xmlrpclib works alright, too.

--
Thanks,
Donnie

Donnie Berkholz
Sr. Developer, Gentoo Linux
Blog: http://dberkholz.com
 
Old 03-08-2011, 01:26 PM
Michał Górny
 
Default Bugzilla 4 migration

On Mon, 07 Mar 2011 15:06:25 -0500
Olivier Crête <tester@gentoo.org> wrote:

> On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote:
> > Why does everyone assume it needs to be enforced? If user is
> > interested in protecting his/her data, he/she can simply use
> > https://. If he/she is not, there is no real reason to enforce
> > slower (and not always supported) SSL.
>
> Maybe it's not to protect the user, but to protect the Gentoo
> infrastructure.. And really, SSL has been supported by every browser
> for the last 15 years. And it is not in any way slow or slower than
> non-SSL.

If you really think you need to force all users to use SSL, thus
assuming they're unable to make their own decisions, why don't you
restrict bugzie access completely?

--
Best regards,
Michał Górny
 
Old 03-08-2011, 01:41 PM
Antoni Grzymała
 
Default Bugzilla 4 migration

On Tue, 8 Mar 2011 15:26:34 +0100, Michał Górny wrote:

On Mon, 07 Mar 2011 15:06:25 -0500
Olivier Crête <tester@gentoo.org> wrote:


On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote:
> Why does everyone assume it needs to be enforced? If user is
> interested in protecting his/her data, he/she can simply use
> https://. If he/she is not, there is no real reason to enforce
> slower (and not always supported) SSL.

Maybe it's not to protect the user, but to protect the Gentoo
infrastructure.. And really, SSL has been supported by every browser
for the last 15 years. And it is not in any way slow or slower than
non-SSL.


If you really think you need to force all users to use SSL, thus
assuming they're unable to make their own decisions, why don't you
restrict bugzie access completely?


Michał,

You don't seem to (or pretend not to) understand that using SSL
protects not *the user* (in which case, yes, a user is free to leave the
door to *his own* house wide open), but the Gentoo infrastructure that
is far from his own and that all of us are using. Besides, complaining
about SSL being slow is absurd considering how mildly interactive and
how low-traffic a typical bugzilla session is. You could do just fine
over a 9600 bps modem.


Regards,

Antoni
 

Thread Tools




All times are GMT. The time now is 03:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org