Bug 1044653 - Allow assignees of private fedora abrt bugs to unset the private permission
Summary: Allow assignees of private fedora abrt bugs to unset the private permission
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Bugzilla
Classification: Community
Component: Creating/Changing Bugs
Version: 4.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: 4.4
Assignee: Matt Tyson 🤬
QA Contact: tools-bugs
URL:
Whiteboard: [request: comment6]
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-18 18:35 UTC by Kevin Fenzi
Modified: 2018-12-09 06:29 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-12 01:31:30 UTC


Attachments (Terms of Use)

Description Kevin Fenzi 2013-12-18 18:35:53 UTC
Greetings. 

The Fedora Engineering Steering Commitee would like to see if we could make the following change: 

In Fedora abrt  marks some reported bugs as 'private' based on various factors (if it thinks the reporter has private data in the uploaded information, or if the crash is considered to be 'exploitable' over some threshold). Currently even if the assignee examines the data and decides it's not private they are unable to unmark the bug as private. 

Are either or both of these possible: 

a) Add ability to fedorabugs to unmark private on Fedora component bugs. (Ones they could see due to being assignee or cc)

b) Add ability for the asignee to unmark private on Fedora component bugs they are assigned. (This isn't quite ideal, because it leaves co-maintainers out). 

See: 

https://fedorahosted.org/fesco/ticket/1209
and
https://bugzilla.redhat.com/show_bug.cgi?id=1039080
for more background. 

Happy to answer questions or provide more info.

Comment 1 Simon Green 2013-12-19 22:45:36 UTC
(In reply to Kevin Fenzi from comment #0)
> Are either or both of these possible: 
> 
> a) Add ability to fedorabugs to unmark private on Fedora component bugs.
> (Ones they could see due to being assignee or cc)

Can you please explain this one a bit more. Are you asking that anyone (who can see the bug) can make it public?

> b) Add ability for the asignee to unmark private on Fedora component bugs
> they are assigned. (This isn't quite ideal, because it leaves co-maintainers
> out). 

I *think* this is doable (with a bit of hacking), but since (a) is your preferred option, I want to seek clarification on exactly what you are asking.

  -- simon

Comment 2 Kevin Fenzi 2013-12-20 15:21:51 UTC
So, perhaps a use case/example would help: 

* User sees a crash, reports it via abrt
* abrt decides for whatever reason it should be private. 
* Fedora maintainer looks at logs and decides that there is actually no private data, or that the crash is not exploitable. 

Currently they cannot unmark the bug private, but we would like to allow them to do so. ;) 

> Can you please explain this one a bit more. Are you asking that anyone (who can see the bug) can make it public?

I suppose if thats a easy way to implement it it could be fine. The maintainers or the submitter could decide the data really isn't private and unmark it. So, yes, this would work fine. 

Or if we could make 'unmark private bugs in Fedora' a permission added to fedorabugs (ie, fedora maintainers/contibutors) that would work too. 

Does that make sense? Happy to provide more info, etc.

Comment 3 Stephen Gallagher 2014-01-29 12:50:09 UTC
Just following up: is there a plan to implement this?

Comment 4 Simon Green 2014-01-30 03:20:07 UTC
(In reply to Kevin Fenzi from comment #2)
> Or if we could make 'unmark private bugs in Fedora' a permission added to
> fedorabugs (ie, fedora maintainers/contibutors) that would work too. 

You use the word 'fedorabugs' a lot. Do you mean the 'fedora_bugs' group or do you mean something else?

Comment 5 Kevin Fenzi 2014-01-30 04:38:34 UTC
Sorry, we have a fedora account system group called 'fedorabugs' and we run a script that grants all users in that group the bugzilla 'fedora_contrib' group permissions.

Comment 6 Simon Green 2014-01-30 04:43:55 UTC
Ah, now I know what you are talking about. So to make it clear you are requesting that:

A user who is in the fedora_contrib group can remove the private flag from a bug in the Fedora component (providing the can see the bug themselves).

Is that correct?

Comment 7 Kevin Fenzi 2014-01-30 16:44:11 UTC
Yes. Exactly.

Comment 9 Jason McDonald 2014-01-30 23:39:16 UTC
(In reply to Stephen Gallagher from comment #3)
> Just following up: is there a plan to implement this?

If we can get an agreement within the next 7 days on what is to be done, this could go into sprint 15, which is due to start on February 10th.

Comment 10 Matt Tyson 🤬 2014-02-20 01:53:10 UTC
Kevin,

Would creating a 'fedora_private' group be an option?  abrt could then mark bugs as 'fedora_private' and then the Fedora committee can decide how to hand out permissions to access this group as they see fit.

Allowing fedora_contrib users to unset the 'private' flag in only fedora products requires subverting Bugzilla's permission system, and this requires a bit of work to do safely.

Is there a requirement to use the 'private' flag for Fedora products? If another flag would suffice then this could be done without any code changes for Bugzilla.

Comment 11 Kevin Fenzi 2014-02-21 18:46:27 UTC
Sorry for the delay here. ;) 

yes, a fedora_private group could work as long as folks in fedora_contrib could see/unset that and accounts without privs could not see or unset it. 

Or perhaps 'fedora_contrib_private' would be more descriptive... 

Would 'fedora_private' be a group? or just a flag like private ?

Comment 12 Matt Tyson 🤬 2014-02-24 01:33:58 UTC
Kevin

I've created a fedora_contrib_private group on our testing site https://partner-bugzilla.redhat.com
Anyone who is in the fedora_contrib or redhat group has access to fedora_contrib_private.

I've made the group settable for bugs in the Fedora product.  If there's other products you want fedora_contrib_private settable on please let me know.

Please feel free to create bugs and test as much as you like.  If you're happy with the behaviour we can put the changes into production and you can then modify abrt to set fedora_contrib_private for Fedora bugs instead of using private.

(In reply to Kevin Fenzi from comment #11)
> Or perhaps 'fedora_contrib_private' would be more descriptive...
If this is what you would prefer it should be fine, let me know what your final decision is.

> Would 'fedora_private' be a group? or just a flag like private ?

It would be a group.  'private' is also a group.

Comment 13 Kevin Fenzi 2014-02-24 17:51:54 UTC
It seems to work ok from some limited testing... 

partner-bugzilla seems to have a pretty old snapshot, is there any plan to refresh it with a new one anytime soon? 

I'll get some more testing done soon and let you know if we run into any issues with it. 

Thanks!

Comment 14 Matt Tyson 🤬 2014-02-24 23:25:25 UTC
(In reply to Kevin Fenzi from comment #13)
> It seems to work ok from some limited testing... 
> 
> partner-bugzilla seems to have a pretty old snapshot, is there any plan to
> refresh it with a new one anytime soon?

We hope to refresh it within the next couple of months, but no firm date has been established yet.

Comment 15 Kevin Fenzi 2014-02-27 21:46:41 UTC
Fair enough. 

In any case I think this change looks good to me here. If you like I can ask some abrt folks to look? Or we can ping them once things are live?

Comment 16 Matt Tyson 🤬 2014-02-27 21:50:03 UTC
(In reply to Kevin Fenzi from comment #15)
> Fair enough. 
> 
> In any case I think this change looks good to me here. If you like I can ask
> some abrt folks to look? Or we can ping them once things are live?

I think it would be best if the abrt folks tested on partner-bugzilla first.
Once they are happy with it we can put the changes live.

Comment 17 Kevin Fenzi 2014-02-27 21:54:17 UTC
Greetings abrt-devel-list. ;) 

Basically we want to make this change so Fedora private abrt bugs can be more easily managed. 

Currently they are marked 'private' group, which means only the maintainer can see them or unmark them. 

We want to mark them 'fedora_contrib_private' that should allow anyone in fedora_contrib to see them or mark/unmark them.

Comment 18 Jakub Filak 2014-02-28 14:08:53 UTC
(In reply to Matt Tyson from comment #16)
I tested it with partner-bugzilla and it works!
https://partner-bugzilla.redhat.com/show_bug.cgi?id=953393

(In reply to Kevin Fenzi from comment #17)
I created a pull request updating the group name:
https://github.com/abrt/libreport/pull/242

I also updated related documentation:
https://github.com/abrt/abrt/wiki/FAQ#creating-private-bugzilla-tickets

Comment 19 Kevin Fenzi 2014-02-28 17:01:43 UTC
Excellent. Thank you.

Comment 20 Matt Tyson 🤬 2014-03-04 04:38:54 UTC
The group changes have been put live on bugzilla.redhat.com
The abrt changes can be put into production now.

Note that this permission is only valid for the Fedora product.  Fedora Documentation, Fedora EPEL, etc are not covered.

If these products also need this permission group, please let me know.

Comment 21 Matt Tyson 🤬 2014-03-12 01:31:30 UTC
I can see a bug already marked as fedora_contrib_private.  As I have heard nothing further I assume this is working as it should and I am closing this bug.

Comment 22 Kevin Fenzi 2014-04-08 20:24:33 UTC
This seems to have failed in the case of bug 1085215

Can you see what might have happened there?

Comment 23 Simon Green 2014-04-09 00:13:28 UTC
(In reply to Kevin Fenzi from comment #22)
> This seems to have failed in the case of bug 1085215
> 
> Can you see what might have happened there?

The private group still exists for the Fedora product for bugs that Red Hat staff would like to remain private.

  -- simon

Comment 24 Kevin Fenzi 2014-04-09 00:37:50 UTC
Sure, but from what I can see in history, abrt filed that with the regular private group instead of the fedora-contrib-private. 

Or did someone change it after it was filed, but history doesn't show that?

Comment 25 Simon Green 2014-04-09 01:15:56 UTC
(In reply to Kevin Fenzi from comment #24)
> Sure, but from what I can see in history, abrt filed that with the regular
> private group instead of the fedora-contrib-private. 

That would be correct.

> Or did someone change it after it was filed, but history doesn't show that?

Any change made after the bug would have been filed would be shown in the history.

Is it possible that an older version of abrt would still set the private group instead of the newly created group?

Comment 26 Jakub Filak 2014-04-09 07:16:53 UTC
(In reply to Simon Green from comment #25)
> Is it possible that an older version of abrt would still set the private
> group instead of the newly created group?

Yes, it is possible, but bug #1085215 has been created by libreport-2.2.0 where the default private group name is 'fedora_contrib_private'.

I think that the reporter has modified '/etc/libreport/plugins/bugzilla.conf' configuration file, which contains the name of private group, and the new private group name got stuck in '/etc/libreport/plugins/bugzilla.conf.new' file.

Comment 27 Jakub Filak 2014-04-09 08:21:13 UTC
(In reply to Jakub Filak from comment #26)
D`oh, it is even worse than I thought. The name of private group needs to be changed in the GUI configuration.

gnome-abrt -> Preferences -> Events -> Bugzilla -> Advanced -> Groups

That is because the private group name has a default value assigned and once a user updates the configuration in GUI the default value becomes the configured value.

Comment 28 Kevin Fenzi 2014-04-11 19:18:11 UTC
ok, so is there anything we can do here?

Should we move this to a new abrt bug to track and perhaps just manually (or script) resetting any that are currently wrong?

Comment 29 Simon Green 2014-04-12 01:34:38 UTC
Please set the needinfo flag for me when replying. I'm only on the CC: list for this bug, and may not always see your reply. Matt is on PTO for two weeks.

(In reply to Kevin Fenzi from comment #28)
> ok, so is there anything we can do here?

From a Bugzila point of view, I don't think there is anything we can do.

> Should we move this to a new abrt bug to track and perhaps just manually (or
> script) resetting any that are currently wrong?

That would seem to be the most practical option in this case.

  -- simon

Comment 30 Jakub Filak 2014-04-17 15:18:56 UTC
(In reply to Simon Green from comment #29)
> > Should we move this to a new abrt bug to track and perhaps just manually (or
> > script) resetting any that are currently wrong?
> 
> That would seem to be the most practical option in this case.

I have opened bug #1087370 for this -> A reporting user will be suggested to use the right group name before submitting the bug report.

Comment 31 Фукидид 2017-11-24 11:48:48 UTC
Perhaps should allow the one who reports the bug, unchecking the boxes “Fedora Contrib Private” and “Private Group”?


Note You need to log in before you can comment on or make changes to this bug.