On Wed, Mar 17, 2004 at 11:03:03AM +0100, Julian Mehnle wrote: > Paul Hampson wrote: > > > I'm getting so much spam through my debian account that I'm already > > > considering closing it down. We must now tolerate spammers closing > > > bugs? > > We don't tolerate it, we put up with it as a neccessary evil [...] > So where's the difference? I knew that would happen, when I reread that. I think it's the idea of zero-tolerance (eg with narcotics) VS decriminalisation... > > > There are a lot of large projects, including the mozilla project, that > > > require addresses to be registered with a password just to submit a > > > bug. This is the model we should be moving toward. The current > > > situation is totally unacceptable. > > And I'm sure they miss out on bugs (mine, for example) where the finder > > doesn't feel the need for _another_ username/password combo just to > > submit a single bug. > Not even *I* (heh!) suggested requiring authentication for submitting > bug reports. Only for controlling them thereafter. But that was the suggestion I gleaned from the above email. (For which I've lost the attribution... Adam, was it?) On the other hand, if we needed gnuPG-signatures to manipulate bugs, that'd encourage me to hurry up and enter the NM-queue, since I already BTS-sign most bug-maintenance stuff. (Even if the initial report is sent from a machine where I don't have my gnuPG key.) But my stated position remains that the current openness is an important part of the BTS, and should remain there. > > For source-forge hosted projects, one user/pass covers many many > > projects, and is useful to have. > Which also about describes Debian. What is the fundamental difference between > SourceForge's many "projects" and Debian's many "packages"? Here, we're talking about "the bugs on many packages" VS most of Sourceforge. Particularly since the user/pass is required to contribute directly to the projects, I see it more like a DD's gpg signature. Frankly, any SF project which requires me to subscribe to their email list to contribute, _does_ miss out on whatever I've got to say. And if I hadn't gotten a SF user/pass back in the days when I took any user/pass I could, I prolly wouldn't bother with one now either. And I hope no one's actually serious planning to restrict BTS control to people in the DD keyring. > > A pseudo-header to match the email address for controlling bugs, > > I guess that's acceptable to me. (I usually use control@b.d.o > > anyway) > Well, if it averts spammers messing with the BTS, then I'm all for it. > I just think we may some day see other symptoms of the BTS effectively > being anonymous, like spammers intentionally forging the > pseudo-headers (because they deem Debian's mailing list and BTS > archives a great spamming platform), or malicious attackers sabotaging > the BTS. (And of course the known problem in email signatures that you can bounce a signed body to a different email address without problems. Not a SPAM problem, but a problem for maliciousness. Combined with a pseudo-header, it's _not_ a problem...) Can't argue there... I'll leave it to minds closer to the BTS, or who care more about SPAM. -- ----------------------------------------------------------- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au "No survivors? Then where do the stories come from I wonder?" -- Capt. Jack Sparrow, "Pirates of the Caribbean" This email is licensed to the recipient for non-commercial use, duplication and distribution. -----------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature