bugzilla-tool uses urllib2.urlopen() for all of the viewing requests (like getting attachments from bugs) and mechanize for all the editing requests. We've added support for authenticating our mechanize connection, but not for our urllib2 connection. :( This means that none of the viewing requests are authenticated... thus we can't use bugzilla-tool with security bugs.
This means the commit-queue also doesn't work with security bugs.
supporting security bugs is actually super-simple now. At least for the post and land commands. All we have to do is make sure we authenticate bugzilla first.
For the commit-queue and query commands, it's not clear that we should authenticate up front.
By now I mean "once bug 32729 has landed".
I expect this is fixed by https://bugs.webkit.org/show_bug.cgi?id=33871
*** This bug has been marked as a duplicate of bug 33871 ***
Sorry, I meant bug 33701
*** This bug has been marked as a duplicate of bug 33701 ***