Even worse. Every packager (not a member of package) is able to orphan
*any* package and drop the main admin there. Just verified it.
On Thu, Mar 18, 2021 at 11:25 AM Miro Hrončok <mhroncok(a)redhat.com> wrote:
On 18. 03. 21 11:14, Pavel Zhukov wrote:
> So... Looks like the ex-admin of the package was able to orphan one
> somehow and by doing this drop the current admin from the member
> list. Looks like a bug if not a security hole for me.
An "admin" can remove admins. I don't think that is necessarily an
unexpected
permission of an admin.
I'd argue that the security hole lies in keeping users you don't trust as
admins.
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
--
Pavel Zhukov
Software Engineer
IRC: landgraf