[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, Sep 19, 2002 at 01:55:40AM +1000, Anthony Towns wrote:
> Anyway, I've been thinking that we'll probably want to do away with the
> 123456-done@bugs.debian.org method of closing bugs sometime, to ensure
> that we can start tracking which version of a package closed a bug (so
> the close command would then become "close 123456 3.14-5.2"). Obviously
> the archive scripts and other things would need to be changed to cope,
> too. Do people think this would suck, too much? If not, it also lets us
> avoid the problem of address harvesters accidently figuring out how to
> close bugs.
> And then, of course, we can start making (certain) requests to
> control@b.d.o require PGP signatures... ;)

Now that we've got MIME support, at least requiring signed mails for
things is possible. Requiring a signature for the traditional -done
address doesn't work though - you have something like this:

  To: nnnnn-done@bugs.debian.org
  Content-Type: multipart/signed; protocol="pgp-signature";
  [signed data, i.e. actual text of closing message]
  Content-Type: application/pgp-signature
  [signature material]

AIUI, the To: address isn't part of the signed data, so you could just
forward some data you've found signed by a random developer and have it
close the bug. It would work as an obscure way to block spam to -done,
but wouldn't prevent abuse. So getting rid of -done altogether (with an
autoresponder telling people what the new interface is) starts to look
more appealing.

I'd quite like to see 'close' enhanced as you describe. Obviously we'd
need to make service communicate more with the submitter, which is
probably a good thing anyway (e.g. #93408).

As for other uses of signed commands: the general bug-manipulation
commands are probably horribly contentious, as they're often used by
non-developers to helpful effect, although reopen is arguable. spam and
unspam sound useful and should be signed. change-submitter? Anything

Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: