On 2018-06-28, Jan Matèrne (jhm) wrote: >>> Just curious about our bugzilla infrastructure - do random users get >>> to change the content of these bugs, even if they aren't the ones who >>> reported the issue?
>> Yes. >> Back when Bugzilla was introduced the developers and admins falsely >> assumed only sensible people would be using the tool. > Do you know if JIRA is more secure? Depends on what "secure" means. The ASF installations allow everybody to create accounts and everybody to create new issues. This is a deliberate choice and is the same for JIRA and Bugzilla - and is the best choice for an open source project IMHO. I'm not sure whether JIRA allows arbitrary users to modify existing issues ither people have created. Of course you want everybody to be able to comment, not so sure about the issue's title. I've just had a look at the permissions on Commons Compress' JIRA project and "edit issue" can only be done by people in certain roles while "create issue" is allowed to the jira-users group - which is everybody with an account. > Also against spam attacks? When I complained too much about Bugzilla spam I was granted Admin access so I could block spammers. :-) I recall JIRA spam as well but it doesn't happen very often. Maybe the account creation procedure for JIRA is more involved than for Bugzilla so setting up accounts is more work for spammers and they prefer Bugzilla as the easier target. I don't know. TBH I don't think there is a big difference and we seem to be able to handle spam reasonably well. > If yes, we could about thinking to migrate ... I'm afraid a migration of the existing issues would be painful and we've got a LONG history with lots of issues in Bugzilla. I'm not convinced this kind of issue hijacking is happenening often enough to be the only reason for switching the issue tracker :-) Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
