That bug was originally filed at request of AJ here: http://lists.opensuse.org/opensuse-factory/2012-03/msg00235.html More specifically: https://bugzilla.novell.com/show_bug.cgi?id=753203 "Please make Bugzilla easier on openSUSE users" paraphrasing comment 0 (for those lacking access): 1-multiple URLs for each bug bloat and clutter browser history 2-dismal login persistence This bug will be two years old next month, and has yet to draw its first comment. Part of its lack of attention is probably is that it is one of those secret bugs reachable only by Novell employees, which makes it akin to a chicken & egg problem. Lack of login persistence bothers me most. Login is a slow process, a problem of its own, like the slowness of bugzilla.novell.com generally. Since login needs to be repeated multiple times each day by those casually working through bug follow-up, it makes absence of persistence even more annoying. Novell's own bugs aren't reachable except to a limited audience anyway, so why does everyone working openSUSE bugs need to be subjected to rapid timeout? What exactly is the risk from having login last at least the duration of a browser session? Bugzilla.redhat.com doesn't impose such trouble on Fedora users. Why can't bugzilla.novell.com be at least somewhat like it? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org
On Tuesday 11 February 2014 15.02:58 Felix Miata wrote:
That bug was originally filed at request of AJ here: http://lists.opensuse.org/opensuse-factory/2012-03/msg00235.html
More specifically: https://bugzilla.novell.com/show_bug.cgi?id=753203 "Please make Bugzilla easier on openSUSE users"
paraphrasing comment 0 (for those lacking access): 1-multiple URLs for each bug bloat and clutter browser history 2-dismal login persistence
This bug will be two years old next month, and has yet to draw its first comment.
Part of its lack of attention is probably is that it is one of those secret bugs reachable only by Novell employees, which makes it akin to a chicken & egg problem.
Lack of login persistence bothers me most. Login is a slow process, a problem of its own, like the slowness of bugzilla.novell.com generally. Since login needs to be repeated multiple times each day by those casually working through bug follow-up, it makes absence of persistence even more annoying.
Novell's own bugs aren't reachable except to a limited audience anyway, so why does everyone working openSUSE bugs need to be subjected to rapid timeout? What exactly is the risk from having login last at least the duration of a browser session?
Bugzilla.redhat.com doesn't impose such trouble on Fedora users. Why can't bugzilla.novell.com be at least somewhat like it?
Why not push that story of timeout (I didn't suffer of logout before hours myself) to admin@o.o -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org
On 2014-02-12 02:10 (GMT-0500) Bruno Friedmann composed:
Felix Miata wrote:
That bug was originally filed at request of AJ here: http://lists.opensuse.org/opensuse-factory/2012-03/msg00235.html
More specifically: https://bugzilla.novell.com/show_bug.cgi?id=753203 "Please make Bugzilla easier on openSUSE users"
paraphrasing comment 0 (for those lacking access): 1-multiple URLs for each bug bloat and clutter browser history 2-dismal login persistence ...
Why not push that story of timeout (I didn't suffer of logout before hours myself) to admin@o.o
https://progress.opensuse.org/issues/1447 I was looking here for some feedback and/or discussion, not another report to get no response, and don't really know where better than here for that kind of subject matter to see interest. About the only days I don't have to login at novell.bugzilla.com more than once are the days I don't need to load more than one URL there. Keeping my favorite bug search report (all I ever filed) open constantly is no help. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org
Felix Miata (mrmazda@earthlink.net) wrote:
That bug was originally filed at request of AJ here: http://lists.opensuse.org/opensuse-factory/2012-03/msg00235.html
More specifically: https://bugzilla.novell.com/show_bug.cgi?id=753203 "Please make Bugzilla easier on openSUSE users"
paraphrasing comment 0 (for those lacking access): 1-multiple URLs for each bug bloat and clutter browser history 2-dismal login persistence
This bug will be two years old next month, and has yet to draw its first comment.
That's disappointing. I filed a similar bug (#776191, but unfortunately it's restricted to employees only probably because I forgot to tick the "make this public" checkbox when I filed it) back in August 2012. It's seen several replies since then, but progress has been incredibly slow.
Part of its lack of attention is probably is that it is one of those secret bugs reachable only by Novell employees, which makes it akin to a chicken & egg problem.
No, #753203 is publically accessible by anyone with a bugzilla account. However I've requested internally that someone responds with a status update to this.
Lack of login persistence bothers me most. Login is a slow process, a problem of its own, like the slowness of bugzilla.novell.com generally. Since login needs to be repeated multiple times each day by those casually working through bug follow-up, it makes absence of persistence even more annoying.
Yes, it's a stupid waste of time.
Novell's own bugs aren't reachable except to a limited audience anyway, so why does everyone working openSUSE bugs need to be subjected to rapid timeout? What exactly is the risk from having login last at least the duration of a browser session?
Unfortunately it's not a simple matter of tweaking a configuration setting somewhere. I've asked the owner of these two bugs to communicate more details in public. -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <alpine.LSU.2.11.1402121322430.3703@minas-tirith.valinor> El 2014-02-11 a las 15:02 -0500, Felix Miata escribió:
Lack of login persistence bothers me most.
It is intentional, so it is not going to change. The system uses a very secure authentication system commercialized (I think) by Novel (Access Manager from NetIQ), different from Bugzilla own system (whatever that is). And it is the same system used on all "our" sites, so that the same login works on Bugzilla and the forums and many other places. It has to be secure because it is also used by Novell with their other products and paying customers. That's why there is no login persistence. Security. And it has serious advantages. Recently, the forums were hacked. A photo of the emails and password was published to prove they got inside. But the passwords they got were not the real passwords, they were fakes. The real passwords were handled behind, on a different machine and service they could not even get close to. So the hundred of thousands of users did not have to change their passwords. <https://news.opensuse.org/2014/01/07/opensuse-forums-defaced/> <http://thehackernews.com/2014/01/openSUSE-Forum-Hacked-by-Pakistani-hacker.h... > Previously, the Ubuntu forums were attacked, and there they did got the real passwords. You can find the email threads at the opensuse mail list: 13-07-23 15:46 Basil Chupin (5165) . [opensuse] Ubuntu Forum hacked 14-01-08 09:37 Michael Hamilton (4804) . [opensuse] forums.opensuse.org down? - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlL7a7MACgkQja8UbcUWM1zC/QD/RKkfv+0DfSotUduV818Tx0a4 /YzyLMGNFDQ+VWk8FeAA/iG23qPaM+4pyybzOMefqD3Aav3Y7lFsOg0EY8vTN+dT =5Kgn -----END PGP SIGNATURE-----
Carlos E. R. (carlos.e.r@opensuse.org) wrote:
El 2014-02-11 a las 15:02 -0500, Felix Miata escribió:
Lack of login persistence bothers me most.
It is intentional, so it is not going to change.
According to https://bugzilla.novell.com/show_bug.cgi?id=776191#c11 (again unfortunately internal-only) the possibility of fixing it has not been ruled out.
The system uses a very secure authentication system commercialized (I think) by Novel (Access Manager from NetIQ), different from Bugzilla own system (whatever that is). And it is the same system used on all "our" sites, so that the same login works on Bugzilla and the forums and many other places.
It has to be secure because it is also used by Novell with their other products and paying customers. That's why there is no login persistence. Security.
What do you mean by "login persistence" exactly? I think part of the problem is that there is some ambiguity around what we are talking about. I have attempted to clarify that here: https://bugzilla.novell.com/show_bug.cgi?id=753203#c3
And it has serious advantages.
Recently, the forums were hacked. A photo of the emails and password was published to prove they got inside. But the passwords they got were not the real passwords, they were fakes. The real passwords were handled behind, on a different machine and service they could not even get close to. So the hundred of thousands of users did not have to change their passwords.
<https://news.opensuse.org/2014/01/07/opensuse-forums-defaced/> <http://thehackernews.com/2014/01/openSUSE-Forum-Hacked-by-Pakistani-hacker.h... >
Previously, the Ubuntu forums were attacked, and there they did got the real passwords. You can find the email threads at the opensuse mail list:
13-07-23 15:46 Basil Chupin (5165) . [opensuse] Ubuntu Forum hacked 14-01-08 09:37 Michael Hamilton (4804) . [opensuse] forums.opensuse.org down?
That's true, but it's not directly relevant. Noone's requesting that Access Manager should be removed from bugzilla. What I would like is for bugzilla to offer a login-time checkbox entitled "I am using a secure computer", and this would increase the login session timeout from O(hours) to O(days). This seems like a reasonable trade-off between security and convenience, and it also happens to be standard practice industry-wide. -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org
On 2014-02-12 13:07 (GMT) Adam Spiers composed:
What I would like is for bugzilla to offer a login-time checkbox entitled "I am using a secure computer", and this would increase the login session timeout from O(hours) to O(days). This seems like a reasonable trade-off between security and convenience, and it also happens to be standard practice industry-wide.
I agree for the short term, but for the long term as Matthew Ehle wrote in the bug, OpenSUSE and other Novell/SUSE OSS projects [should] have a separate Bugzilla installation from the corporate products. Another component of bug 753203 remains: multiple URLs for each bug report. I split that into its own bug: https://bugzilla.novell.com/show_bug.cgi?id=863582 -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org
participants (4)
-
Adam Spiers -
Bruno Friedmann -
Carlos E. R. -
Felix Miata