[rt-users] editing tickets (comments and replies) - I know the answer, but dont understand why...
Scott Courtney
scott at 4th.com
Mon Jan 2 16:11:54 EST 2006
On Monday 02 January 2006 12:25, Duncan Shannon wrote:
> Does the Average RT user need the system to have the same level of
> integrity and inability to change info to the level of an accounting
> system? I'd be suprosed if the integrity of the data was that
> importiant to most of the RT crowd. Anyone?
I use RT in a corporate setting and also in a nonprofit org setting. In
the former case, we care about the auditability internally. In the latter
case, not at all.
I'm puzzled by the notion that disallowing even an RT sysadmin to delete
or alter content is perceived as somehow providing a level of legal
chain of evidence. All of RT's data is stored in a relational database,
so anyone who has INSERT, DELETE, or UPDATE access on the tables can
already munge the data anyway they want. The source code and schema are
published information, so it's not even security-through-obscurity. We
place trust in our sysadmins not to touch the data, but at many sites the RT
admin also has DBA privileges on the back-end database.
IANAL, but I would be *very* surprised if RT's lack of a "friendly" delete/
alter feature would make RT hold up in court as an unalterable audit trail.
All the opposing lawyer would have to do is point out how easily the data
could be modified in direct SQL, and that would finish that argument. Just
because it requires technical knowledge to alter the data doesn't mean a
court would believe it to be impossible. You can still put the sysadmin on
the witness stand and ask, under oath, "Did you alter the data?" That tactic
doesn't rely on RT somehow providing a false sense of non-alterability.
The only really good mechanisms to achieve nonrepudiation of transactions rely
on public key cryptography to digitally sign the transaction. AFAIK, RT doesn't
have that capability right now -- and even if it did, the courts are still not
settled on just how heavily to weigh evidence that is digitally signed.
My opinion, therefore, is that an option to alter or delete should be available
as a high-level privilege, by default available only to superusers but able
to be delegated to others like any other permission. If a site doesn't want
people deleting things, then they should leave this permission available only
to the superuser and then not hand out the superuser privilege.
For those subject to spammers creating tickets and userids in RT, the ability
to truly purge that junk rather than just making it invisible would be an
incredibly useful feature.
Scott
--
------------------------------------------------------------------------------
Scott Courtney | "I don't mind Microsoft making money. I mind them
scott at 4th.com | having a bad operating system." -- Linus Torvalds
http://4th.com/ | ("The Rebel Code," NY Times, 21 February 1999)
| PGP Public Key at http://4th.com/keys/scott.pubkey
More information about the rt-users
mailing list