Secure testing team - Feb 2011 - Fw: Re: rt.debian.org no longer accepting guest/readonly

More evidence that RT is insufficient.  It''s a completely closed
system now. See below.

Mike

Begin forwarded message:

Date: Tue, 22 Feb 2011 00:18:16 +0100
From: Peter Palfrader <weasel at debian.org>
To: Michael Gilbert <michael.s.gilbert at gmail.com>
Cc: debian-admin at lists.debian.org
Subject: Re: rt.debian.org no longer accepting guest/readonly


On Mon, 21 Feb 2011, Michael Gilbert wrote:
> RT seems to no longer accept the username=guest, password=readonly
> combination any more.  Thanks for looking into this.
Yes.  The guest account has been disabled due to heavy abuse.

There is a debian account you might be able to use in the meantime.

We are thinking of giving each DD their own RT account eventually, but
this unfortunately doesn''t do itself.

cheers,
weasel
-- 
                           |  .''''`.       ** Debian **
      Peter Palfrader      | : :'' :      The  universal
 http://www.palfrader.org/ | `. `''      Operating System
                           |   `-    http://www.debian.org/

On lun., 2011-02-21 at 19:48 -0500, Michael Gilbert
wrote:
> More evidence that RT is insufficient.  It''s a completely closed
> system now. See below.
Not ?completely?, just reserved to DDs for now, which is a bit
unfortunate. RT might not be the perfect tool for the jib, but as I
understand it the bts lacks a way to report embargoed issues and that
was the only point for using RT?

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20110222/b0937fd8/attachment.pgp>

[Yves-Alexis Perez]
> Not ?completely?, just reserved to DDs for now, which is a bit
> unfortunate. RT might not be the perfect tool for the jib, but as I
> understand it the bts lacks a way to report embargoed issues and that
> was the only point for using RT?
Note that RT can be set up to authenticate using users in a external
LDAP database as well as its internal database and to allow meta data
updates using email pseudo-headers (in first paragraph), and thus can
be a bit easier to use for unix heads. :)

The latter is an extension available from
<URL: http://search.cpan.org/dist/RT-Extension-CommandByMail >.

We use both here at the University of Oslo.

Happy hacking,
-- 
Petter Reinholdtsen

On Tuesday 22 February 2011 01:48:02 Michael Gilbert
wrote:
> More evidence that RT is insufficient.
The security team has to use RT and finds it sufficient. Please let the team 
that uses the tools, pick the tools.

The current situation is at least as good as the 10+ years that the Debian 
security team has functioned with only a closed email alias. If outsiders can 
use the system, even better, and we''ve asked DSA to implement this, but
while
it is not implemented we''re no further off from the previous situation
where
outsiders also didn''t have access to team communications. RT is
primarily an
internal tool, used by the team for the team.


Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20110222/a33d9114/attachment.pgp>

On Tue, 22 Feb 2011 21:57:17 +0100 Thijs Kinkhorst wrote:
> On Tuesday 22 February 2011 01:48:02 Michael Gilbert wrote:
> > More evidence that RT is insufficient.
> 
> The security team has to use RT and finds it sufficient. Please let the
team
> that uses the tools, pick the tools.
Of course.  I was only hoping to spur some thought/discussion on
possibly making some changes for the better.  Wouldn''t it be nice if
there were a lot more participation in DSA preparation?  Wouldn''t that
save you some work, and hopefully help get issues fixed faster (if
there is more help).
> The current situation is at least as good as the 10+ years that the Debian 
> security team has functioned with only a closed email alias. If outsiders
can
> use the system, even better, and we''ve asked DSA to implement
this, but while
> it is not implemented we''re no further off from the previous
situation where
> outsiders also didn''t have access to team communications. RT is
primarily an
> internal tool, used by the team for the team.
If RT is fixed to allow creation of guest accounts with read/write
access to all unembargoed tickets, my concerns will probably be fully
addressed.

I still don''t like the fact that RC isn''t integrated very well
with the
rest of Debian like the BTS already is, but it also doesn''t look like
the current momentum has any sway.  That''s OK I guess since its the
team''s call, but I think maximum openness/approachability should the
ideal to strive for.

Best wishes,
Mike