On Tue, May 14, 2002 at 05:47:58PM +0200, Wouter Verhelst wrote: > > So we shouldn't allow people without a debian.org address to submit > > more information to a bug they didn't file unless they forge their From > > addresses? > > > > You Must Be Joking. > > That's why I explicitely mentioned 'when receiving a mail at an address > that could modify the state of a bug'. This is fine as long as an attempt to reply and tell you that your message was rejected, preferably with your original mail attached so it can be saved, modified, and resent is made. I'm no fan of rejections that give me no way to resent my message. If I get such a rejection, I want to be able to (relatively) painlessly make a change or two to the message to use control@bugs and just resend the message with a fresh sig. (Does control@bugs actually not barf if you include a message as MIME yet?) Actually, as I have never seen PGP-signed spam, checking for the existance of a sig (whether or not it's a valid Debian key, or potentially even a valid signature for that matter) should also be on the accept list. If you want to check sigs, you can have gnupg automagically fetch keys from pgp.net and such, but put a timeout on that if you do and realize the public keyring used will grow exponentially. (I do this with mutt and mailing lists, just because I like seeing that messages are intact, even if I don't have a trust value assigned to that person yet..) -- Joseph Carter <knghtbrd@bluecherry.net> No conceit in my family <SirDibos> does Johnie Ingram hang out here on IRC?
Attachment:
pgp0tiM7XwTo5.pgp
Description: PGP signature