[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spam closes Debian bugs!

On Tue, Mar 16, 2004 at 05:54:51PM -0800, Adam McKenna wrote:
> On Wed, Mar 17, 2004 at 12:54:11PM +1100, Paul Hampson wrote:
> > What about your own spam precautions? Debian _does_ take the least of
> > spam precautions. From memory, we have spamassassin against debbugs,
> > although as mentioned earlier, not crossassassin... yet.
> Debian takes the least effort possible to block spam.  Maybe spamassassin is
> enabled on the lists but it is not enabled for the BTS or personal e-mail

Oops.  Please switch feet.

Look at *any* message archived in the BTS for some time now:

X-Spam-Checker-Version: SpamAssassin [...]

@debian.org aliases don't get scanned, though.  Ask yourself this, though -
if you don't care about spam enough to run your own spam detection software
on your e-mail, why should the Debian admins spend the time doing it for

Spam protection is on lists to protect the archives and the huge number of
subscribers.  It's on the BTS to minimise the amount of time the BTS admins
have to spend weeding it back out (kudos to them on the incredible speed of
removal, too).  On forwarders, though, the effort:benefit ratio just isn't
there, and there are other places it can be done to better effect -
especially since everyone is going to have their own criteria for spam/ham.

> > For Debian, it strikes me as a pain to have a user/password BTS
> > system, or anything that will prevent me running reportbug from
> > whatever random Debian machine I happen to have hit the bug from.
> I never said we should have a user/password BTS, I said we should move in
> that direction.  I can't say how far in that direction, but I also can't see
> how anyone can look at the current situation and find it acceptable.

I'll raise my hand and say that I think that the BTS gets the
openness/security mix about right.  Yes, the occasional bug gets
accidentally closed, but I've screwed up and closed other people's bugs in
changelog entries - something that wouldn't be fixed by a login, because I
would be authorized to do that.  Watching your bug reports is a reasonable
precaution at all times.

As for a malicious attack (someone getting a list of all open bug reports
and sending a giant "close NNN" for all of them to control@), the only way
to protect against that is severe restriction of the BTS controls, which is
going to annoy a lot of people who are currently contributing quietly but
who don't particularly want to go through the hassle of getting access - and
any meaningful form of getting access will be a hassle.

- Matt

Reply to: