Bug 1044653

(In reply to Kevin Fenzi from comment #0)
> Are either or both of these possible: 
> 
> a) Add ability to fedorabugs to unmark private on Fedora component bugs.
> (Ones they could see due to being assignee or cc)

Can you please explain this one a bit more. Are you asking that anyone (who can see the bug) can make it public?

> b) Add ability for the asignee to unmark private on Fedora component bugs
> they are assigned. (This isn't quite ideal, because it leaves co-maintainers
> out). 

I *think* this is doable (with a bit of hacking), but since (a) is your preferred option, I want to seek clarification on exactly what you are asking.

  -- simon

So, perhaps a use case/example would help: 

* User sees a crash, reports it via abrt
* abrt decides for whatever reason it should be private. 
* Fedora maintainer looks at logs and decides that there is actually no private data, or that the crash is not exploitable. 

Currently they cannot unmark the bug private, but we would like to allow them to do so. ;) 

> Can you please explain this one a bit more. Are you asking that anyone (who can see the bug) can make it public?

I suppose if thats a easy way to implement it it could be fine. The maintainers or the submitter could decide the data really isn't private and unmark it. So, yes, this would work fine. 

Or if we could make 'unmark private bugs in Fedora' a permission added to fedorabugs (ie, fedora maintainers/contibutors) that would work too. 

Does that make sense? Happy to provide more info, etc.

Just following up: is there a plan to implement this?

(In reply to Kevin Fenzi from comment #2)
> Or if we could make 'unmark private bugs in Fedora' a permission added to
> fedorabugs (ie, fedora maintainers/contibutors) that would work too. 

You use the word 'fedorabugs' a lot. Do you mean the 'fedora_bugs' group or do you mean something else?

Sorry, we have a fedora account system group called 'fedorabugs' and we run a script that grants all users in that group the bugzilla 'fedora_contrib' group permissions.

Ah, now I know what you are talking about. So to make it clear you are requesting that:

A user who is in the fedora_contrib group can remove the private flag from a bug in the Fedora component (providing the can see the bug themselves).

Is that correct?

Yes. Exactly.

(In reply to Stephen Gallagher from comment #3)
> Just following up: is there a plan to implement this?

If we can get an agreement within the next 7 days on what is to be done, this could go into sprint 15, which is due to start on February 10th.

Kevin,

Would creating a 'fedora_private' group be an option?  abrt could then mark bugs as 'fedora_private' and then the Fedora committee can decide how to hand out permissions to access this group as they see fit.

Allowing fedora_contrib users to unset the 'private' flag in only fedora products requires subverting Bugzilla's permission system, and this requires a bit of work to do safely.

Is there a requirement to use the 'private' flag for Fedora products? If another flag would suffice then this could be done without any code changes for Bugzilla.

Sorry for the delay here. ;) 

yes, a fedora_private group could work as long as folks in fedora_contrib could see/unset that and accounts without privs could not see or unset it. 

Or perhaps 'fedora_contrib_private' would be more descriptive... 

Would 'fedora_private' be a group? or just a flag like private ?

Kevin

I've created a fedora_contrib_private group on our testing site https://partner-bugzilla.redhat.com
Anyone who is in the fedora_contrib or redhat group has access to fedora_contrib_private.

I've made the group settable for bugs in the Fedora product.  If there's other products you want fedora_contrib_private settable on please let me know.

Please feel free to create bugs and test as much as you like.  If you're happy with the behaviour we can put the changes into production and you can then modify abrt to set fedora_contrib_private for Fedora bugs instead of using private.

(In reply to Kevin Fenzi from comment #11)
> Or perhaps 'fedora_contrib_private' would be more descriptive...
If this is what you would prefer it should be fine, let me know what your final decision is.

> Would 'fedora_private' be a group? or just a flag like private ?

It would be a group.  'private' is also a group.

It seems to work ok from some limited testing... 

partner-bugzilla seems to have a pretty old snapshot, is there any plan to refresh it with a new one anytime soon? 

I'll get some more testing done soon and let you know if we run into any issues with it. 

Thanks!

(In reply to Kevin Fenzi from comment #13)
> It seems to work ok from some limited testing... 
> 
> partner-bugzilla seems to have a pretty old snapshot, is there any plan to
> refresh it with a new one anytime soon?

We hope to refresh it within the next couple of months, but no firm date has been established yet.

Fair enough. 

In any case I think this change looks good to me here. If you like I can ask some abrt folks to look? Or we can ping them once things are live?

(In reply to Kevin Fenzi from comment #15)
> Fair enough. 
> 
> In any case I think this change looks good to me here. If you like I can ask
> some abrt folks to look? Or we can ping them once things are live?

I think it would be best if the abrt folks tested on partner-bugzilla first.
Once they are happy with it we can put the changes live.

Greetings abrt-devel-list. ;) 

Basically we want to make this change so Fedora private abrt bugs can be more easily managed. 

Currently they are marked 'private' group, which means only the maintainer can see them or unmark them. 

We want to mark them 'fedora_contrib_private' that should allow anyone in fedora_contrib to see them or mark/unmark them.

(In reply to Matt Tyson from comment #16)
I tested it with partner-bugzilla and it works!
https://partner-bugzilla.redhat.com/show_bug.cgi?id=953393

(In reply to Kevin Fenzi from comment #17)
I created a pull request updating the group name:
https://github.com/abrt/libreport/pull/242

I also updated related documentation:
https://github.com/abrt/abrt/wiki/FAQ#creating-private-bugzilla-tickets

Excellent. Thank you.

The group changes have been put live on bugzilla.redhat.com
The abrt changes can be put into production now.

Note that this permission is only valid for the Fedora product.  Fedora Documentation, Fedora EPEL, etc are not covered.

If these products also need this permission group, please let me know.

I can see a bug already marked as fedora_contrib_private.  As I have heard nothing further I assume this is working as it should and I am closing this bug.

This seems to have failed in the case of bug 1085215

Can you see what might have happened there?

(In reply to Kevin Fenzi from comment #22)
> This seems to have failed in the case of bug 1085215
> 
> Can you see what might have happened there?

The private group still exists for the Fedora product for bugs that Red Hat staff would like to remain private.

  -- simon

Sure, but from what I can see in history, abrt filed that with the regular private group instead of the fedora-contrib-private. 

Or did someone change it after it was filed, but history doesn't show that?

(In reply to Kevin Fenzi from comment #24)
> Sure, but from what I can see in history, abrt filed that with the regular
> private group instead of the fedora-contrib-private. 

That would be correct.

> Or did someone change it after it was filed, but history doesn't show that?

Any change made after the bug would have been filed would be shown in the history.

Is it possible that an older version of abrt would still set the private group instead of the newly created group?

(In reply to Simon Green from comment #25)
> Is it possible that an older version of abrt would still set the private
> group instead of the newly created group?

Yes, it is possible, but bug #1085215 has been created by libreport-2.2.0 where the default private group name is 'fedora_contrib_private'.

I think that the reporter has modified '/etc/libreport/plugins/bugzilla.conf' configuration file, which contains the name of private group, and the new private group name got stuck in '/etc/libreport/plugins/bugzilla.conf.new' file.

(In reply to Jakub Filak from comment #26)
D`oh, it is even worse than I thought. The name of private group needs to be changed in the GUI configuration.

gnome-abrt -> Preferences -> Events -> Bugzilla -> Advanced -> Groups

That is because the private group name has a default value assigned and once a user updates the configuration in GUI the default value becomes the configured value.

ok, so is there anything we can do here?

Should we move this to a new abrt bug to track and perhaps just manually (or script) resetting any that are currently wrong?

Please set the needinfo flag for me when replying. I'm only on the CC: list for this bug, and may not always see your reply. Matt is on PTO for two weeks.

(In reply to Kevin Fenzi from comment #28)
> ok, so is there anything we can do here?

From a Bugzila point of view, I don't think there is anything we can do.

> Should we move this to a new abrt bug to track and perhaps just manually (or
> script) resetting any that are currently wrong?

That would seem to be the most practical option in this case.

  -- simon

(In reply to Simon Green from comment #29)
> > Should we move this to a new abrt bug to track and perhaps just manually (or
> > script) resetting any that are currently wrong?
> 
> That would seem to be the most practical option in this case.

I have opened bug #1087370 for this -> A reporting user will be suggested to use the right group name before submitting the bug report.

Perhaps should allow the one who reports the bug, unchecking the boxes “Fedora Contrib Private” and “Private Group”?