Hi,
I'm getting CC'ed in Chromium CVEs (i.e. https://bugzilla.redhat.com/show_bug.cgi?id=2284316) even though I've removed myself that that package 2 weeks ago and I'm not a member of the Fedora package (see the members section in https://src.fedoraproject.org/rpms/chromium/). When I've asked Red Hat's Product Security team about this I got the following reply:
I checked our product definitions and from a ProdSec tooling perspective you should not be CC'd > on chromium bugs. I'm not sure why you got added there, one thing we found suspicious is the default CC list on stage BZ [1] if you enter "chromium" as component: "Default CC: spotrh@gmail.com, than@redhat.com, tpopela@redhat.com, yaneti@declera.com" Repeating the same in prod BZ does not list you. I wonder if you recently got yourself removed it might be a sync issue of some sort. [1] https://bugzilla.stage.redhat.com/enter_bug.cgi?product=Fedora%20EPEL
I checked our product definitions and from a ProdSec tooling perspective you should not be CC'd > on chromium bugs. I'm not sure why you got added there, one thing we found suspicious is the default CC list on stage BZ [1] if you enter "chromium" as component:
"Default CC: spotrh@gmail.com, than@redhat.com, tpopela@redhat.com, yaneti@declera.com"
Repeating the same in prod BZ does not list you. I wonder if you recently got yourself removed it might be a sync issue of some sort.
[1] https://bugzilla.stage.redhat.com/enter_bug.cgi?product=Fedora%20EPEL
Then I talked to Bugzilla admins and the reply I got was:
Hi, this product is managed by the Fedora Infrastructure team, you would need to contact them to find out the history. You are not in the default CC for this component ATM. So I think their sync must have updated it.
Hi, this product is managed by the Fedora Infrastructure team, you would need to contact them to find out the history.
You are not in the default CC for this component ATM. So I think their sync must have updated it.
And hence this request. Can you please investigate?
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: Needs investigation
Metadata Update from @kevin: - Issue assigned to kevin
I think this is already fixed.
It was caused by the sync script getting stuck on that exception trying to set that invalid user correctly, so it never was able to get to syncing this change.
Anyhow, looking now I don't see you on the component.
If you get a CC from a bug moving forward, please re-open or file a new ticket.
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Thank you @kevin !
@kevin https://bugzilla.redhat.com/show_bug.cgi?id=2290906 / https://bugzilla.redhat.com/show_bug.cgi?id=2290911 were created 3 days ago and I'm CC'ed in both of them. Can you please look into this again?
Metadata Update from @tpopela: - Issue status updated to: Open (was: Closed)
Strange. I don't see you on the web admin interface in bugzilla, nor do I see you cc'ed if I try and start filing a new bug.
Perhaps this was finally fixed sometime after the above two bugs?
Did you get any after those?
I'm going to go ahead and close this... if you still see any, please re-open and let us know.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Yesterday I got https://bugzilla.redhat.com/show_bug.cgi?id=2294107 (epel) and https://bugzilla.redhat.com/show_bug.cgi?id=2294106 (Fedora) in my inbox. Sorry @kevin, but I have to reopen this.
strange. ok, I will dig around and see if I can find out whats going on.
You aren't in default cc for the component... I wonder if there could be some issue with the scripts they use to file security bugs. Are all the ones you have been cc'ed on CVEs?
On the 20th, https://bugzilla.redhat.com/show_bug.cgi?id=2293202 was filed and you aren't cced on it.
Yes, it's only CVEs, so it looks like there's still something wrong on the ProdSec side even though they've said that it's not true. Ok, let me get back to them again.
ok. Let me know if I can talk to anyone about it or do anything to get it fixed.
So, shall we close this here and you can re-open or file a new ticket if there's anything we can do from our side.
Metadata Update from @kevin: - Issue close_status updated to: Upstream - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.