derby-dev Jira account and patch list notification

[Kathey Marsden <km...@sbcglobal.net>]

I created a derby-dev JIRA account so we can get weekly patch list 
notification.  But there are few  outstanding issues.

1) derby-dev needs JIRA developer access so it can subscribe to the 
patch report
2) jira@apache.org  needs to subscribe to the derby-dev developer list 
so the patch reports don't get moderated.
3) We need to decide what to do about the password.  On IRC andersmo 
mentioned really anyone can have it sent to the list by pressing the 
send me my password button.  Perhaps we can find out how Forrest handles it.


Kathey

Re: derby-dev Jira account and patch list notification

[Andrew McIntyre <mc...@gmail.com>]

On 7/28/06, Kathey Marsden <km...@sbcglobal.net> wrote:
>
> I went to go and log in with the original password we used for derby-dev
> and cannot log into Jira with that. Has  it been  changed?

No, but we found the solution to the security issue. If you remove a
user from the jira-users group, they can't log in. So even if someone
reset the password, they couldn't actually log in and do anything with
it.

>  That would
> be good for me as I don't like being one  of a small group with the
> password.   Seems like it should be admin or everybody.  Can you please
> subscribe derby-dev to the filter "Derby: JIRA issues with patch
> available"? to be posted once a week.

done.

andrew

Re: derby-dev Jira account and patch list notification

[Kathey Marsden <km...@sbcglobal.net>]

Andrew McIntyre wrote:

>
> After checking with some folks from Forrest, there doesn't seem to be
> a way around this, but then, they've never had a problem with it
> either. I'll follow up with infra, though, and see if there's a
> solution.
>
I went to go and log in with the original password we used for derby-dev 
and cannot log into Jira with that. Has  it been  changed?  That would 
be good for me as I don't like being one  of a small group with the 
password.   Seems like it should be admin or everybody.  Can you please 
subscribe derby-dev to the filter "Derby: JIRA issues with patch 
available"? to be posted once a week.

Thanks

Kathey

Re: derby-dev Jira account and patch list notification

[Andrew McIntyre <mc...@gmail.com>]

On 7/26/06, Kathey Marsden <km...@sbcglobal.net> wrote:
> I created a derby-dev JIRA account so we can get weekly patch list
> notification.  But there are few  outstanding issues.
>
> 1) derby-dev needs JIRA developer access so it can subscribe to the
> patch report

done.

> 2) jira@apache.org  needs to subscribe to the derby-dev developer list
> so the patch reports don't get moderated.

I can take care of this when the first mail from the filter
subscription gets sent to the list.

> 3) We need to decide what to do about the password.  On IRC andersmo
> mentioned really anyone can have it sent to the list by pressing the
> send me my password button.  Perhaps we can find out how Forrest handles it.

After checking with some folks from Forrest, there doesn't seem to be
a way around this, but then, they've never had a problem with it
either. I'll follow up with infra, though, and see if there's a
solution.

andrew

Re: derby-dev Jira account and patch list notification

["Jean T. Anderson" <jt...@bristowhill.com>]

Kathey Marsden wrote:
...
> 3) We need to decide what to do about the password.  On IRC andersmo
> mentioned really anyone can have it sent to the list by pressing the
> send me my password button.  Perhaps we can find out how Forrest handles
> it.

I found a post in the forrest archives [1] that mentions the security issue:

> I tried that first, but it opens up that account for some light hacking: 
> one can request a password change and the new password is then mailed to 
> the list. So I opted for the no-role-account policy. 

I didn't find a followup post to the public list.

 -jean


[1]
http://mail-archives.apache.org/mod_mbox/forrest-dev/200211.mbox/%3c3DD8BC5D.8040001@outerthought.org%3e