)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":1,"name":"James E. Blair","email":"jim@acmegating.com","username":"corvus"},"change_message_id":"937a62bf3aadc19230555263a9b43dd9b0834747","unresolved":false,"context_lines":[{"line_number":5,"context_line":"CommitDate: 2019-11-27 11:51:55 +0100"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Pagure: remove connectors burden and simplify code"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This patch removes the use of the connector system."},{"line_number":10,"context_line":"Indeed I\u0027ve figured out that user API token can"},{"line_number":11,"context_line":"be set with the needed rights: pull_request_merge,"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"3fa7e38b_67d4614c","line":8,"updated":"2019-12-02 17:04:10.000000000","message":"For future reference, feel free to use more than 50 chars on lines\nbeyond the first one.  :)  (Not a minus one.)","commit_id":"fb8fcaf3466648108e9f41843254ffa4c9285063"}],"doc/source/admin/drivers/pagure.rst":[{"author":{"_account_id":1,"name":"James E. Blair","email":"jim@acmegating.com","username":"corvus"},"change_message_id":"937a62bf3aadc19230555263a9b43dd9b0834747","unresolved":false,"context_lines":[{"line_number":79,"context_line":"      call payload\u0027s signature is verified using the project webhook"},{"line_number":80,"context_line":"      token. An admin access to the project is required by Zuul to read"},{"line_number":81,"context_line":"      the token. White listing a source of hook calls allows Zuul to"},{"line_number":82,"context_line":"      react to events without any authorizations."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"Trigger Configuration"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_07e32d36","line":82,"updated":"2019-12-02 17:04:10.000000000","message":"This paragraph says that the source whitelist is optional, but I don\u0027t see any code for that.\n\nI\u0027m really uncomfortable with source whitelisting.  It\u0027s not at all secure, and it\u0027s fragile.  I might be convinced that it\u0027s an okay option to have for debugging or something, but I don\u0027t think we can recommend it for production.  I\u0027d rather we not have it at all.  Other similar systems manage to have cryptogrophic verification without this.\n\nUltimately what\u0027s needed is for Pagure to supply a token along with every webhook that it sets up that allows recipients of that webhook to verify the validity of supplied data.  Is there something like that?  If not, would the Pagure maintainers be open to adding it?","commit_id":"fb8fcaf3466648108e9f41843254ffa4c9285063"},{"author":{"_account_id":6889,"name":"Fabien Boucher","email":"fboucher@redhat.com","username":"fabien-boucher"},"change_message_id":"4ac5f419388a89c6b85c5bf9ff1f60017ed56b72","unresolved":false,"context_lines":[{"line_number":79,"context_line":"      call payload\u0027s signature is verified using the project webhook"},{"line_number":80,"context_line":"      token. An admin access to the project is required by Zuul to read"},{"line_number":81,"context_line":"      the token. White listing a source of hook calls allows Zuul to"},{"line_number":82,"context_line":"      react to events without any authorizations."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"Trigger Configuration"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_b8d0daf5","line":82,"in_reply_to":"3fa7e38b_07e32d36","updated":"2019-12-09 11:01:00.000000000","message":"Thanks for the review, yes that\u0027s a mistake from a copy/paste from a previous abandoned patch.\n\nOk, yes, having only the whitelist system will be flawed. I will bring back the token fetching from the API and keep both solutions. If a webhook source is not part of the whitelist then zuul-web will try to fetch the webhook token and verify the signature. I\u0027ll advice in the doc that the whitelist system is only for debugging purpose and should not be used in production.\n\nI want to keep both because today, on Pagure, to fetch the webhook token (generated randomly/by project server side), the API client needs to be a collaborator with *admin* right level to the project. This is clearly a blocker IMO (and the issue have been raise the Fedora community) thus in the meantime I\u0027ve opened an RFE https://pagure.io/pagure/issue/4680.","commit_id":"fb8fcaf3466648108e9f41843254ffa4c9285063"}]}