On Wed, Jul 29, 2009 at 07:12:00AM -0700, Toshio Kuratomi wrote:
> On 07/29/2009 07:05 AM, Till Maas wrote:
>> On Wed, Jul 29, 2009 at 06:30:27AM -0700, Toshio Kuratomi wrote:
>>
>>> Is the same thing true of watching a person? till, I'm now watching
>>> till-opensource.name, if you want to open a new security bug and see if
>>> I get CC'd.
>>
>> I created
https://bugzilla.redhat.com/show_bug.cgi?id=514518
>> According to bugzilla, you did not receive any mails, but only
security-response-team@ rh..
>>
> Confirmed.
>
> So autoapproving watchbugzilla would open up security bugs in a way that
> watching a person does not.
According to Tomas Hoger, who replied to the bug, creating a security
sensitive bug also skips initialccs, therefore there seems to be no
security issue at all with autoapproving watchbugzilla in reality
afaics. I also oberserved that I was not added to the CC list of the
bug, which would be the default beheaviour.
Okay, please test this with a package that has people on the initial CC
list so we've tested precisely the behaviour people are concerned about.
If the initialcclist is not set when a security bug comes in I don't
think there's a reason we shouldn't auto-approve watchbugzilla in pkgdb.
-Toshio