On 27/11/18 12:13, Neal Gompa wrote:
On Mon, Nov 26, 2018 at 5:08 PM Jeff Fearn jfearn@redhat.com wrote:
On 27/11/18 02:06, Emmanuel Seyman wrote:
- Neal Gompa [26/11/2018 11:01] :
Out of curiosity, does anyone know where the source code for Red Hat Bugzilla actually is? I tried to find it a while ago, and even tried to send an email asking about it (with no response...). This variant of Bugzilla has features that aren't present in vanilla Bugzilla 5.x, nor are they present in the Mozilla fork (bmo)...
The source code isn't avaliable (although I've been told at least one Bugzilla developer has access to it).
This is correct. We are in a very drawn out, and painful, process to get this opened up.
Dylan from BMO is helping us out by doing an audit for us, but he is doing it as a favor, in his own time, so it's taking about as long as you'd expect to audit a 20 year old code base in your spare time.
Once Dylan is done, and we are putting no pressure on him to meet or specify a time line, I'll do another round of infosec/product security team hand shaking and then we should be able to open it.
My recent interest in RHBZ code stems from two things:
- it has working SAML auth
- it supports external bug tracking (though I'm not sure if the
functionality has completely worked recently, and lacks pagure.io itself...)
In Mageia, we're looking at revamping our identity management, and we'd like to use SSO via SAML with our BZ5 system, but sadly this code is not available for vanilla bz5 systems, and BMO uses CAS instead of SAML or OIDC. :(
And of course, external bug tracking is useful for obvious reasons. :)
As someone who has to use radius 2FA to access Bugzilla, I cannot tell you just how much SSO rocks ^_^
I may have BCC'd Dylan on this reply ;)
Cheers, Jeff.