Phil Holmes wrote Saturday, May 16, 2015 11:17 AM > >> Trevor Daniels wrote Tuesday, May 12, 2015 9:15 PM >> >>> I'm sure we'll find some undesirable features of Allura when we get down >>> to the details, but that's what the next few weeks will tell us. >> >> I've pretty well completed my assessment of Allura at SourceForge, and >> find the facilities available pretty well match our needs, in fact they >> are surprisingly similar to those at GoogleCode. There are some >> differences but none which we can't live with. So far so good. >> >> However, there is a show-stopper concerning the integrity of the Issues >> discussions recorded in the tracker. Each item in the discussion has an >> owner, and this is set to Anonymous during the import, since the original >> owner is not recognised as a SourceForge account-holder. This in itself >> is not a serious problem, as the correct owner is recorded in the text of >> the message. However, owners of discussion messages are always permitted >> to edit them, irrespective of the permission settings, and I can find no >> way of preventing this. That means Anonymous, which is any not-logged-in >> user, i.e. anyone, will be able to edit, accidently or maliciously, any >> and all discussion entries in our Issues DB. >> >> I've reported this to the SourceForge maintainers: >> https://sourceforge.net/p/forge/site-support/10317/ > > > Good detective work. This might be a pain, but don't think it's a > show-stopper: there's no evidence it would actually happen. If it becomes a > problem, we might well be able to get a script to update the owners?
Unless the developers accept the weakness and fix it I guess we have no choice. At least new posts by SF account-holders, i.e developers and users who choose to register, will be properly protected. Re a script: it's possible for an admin or dev to change the owner of the original ticket via the online interface, but I can see no way to change the owner of a subsequent post, neither online as an administrator nor via the API. Trevor _______________________________________________ lilypond-devel mailing list lilypond-devel@gnu.org https://lists.gnu.org/mailman/listinfo/lilypond-devel
