[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: spam closes Debian bugs!

On Wed, Mar 17, 2004 at 11:03:03AM +0100, Julian Mehnle wrote:
> Paul Hampson wrote:
> > > I'm getting so much spam through my debian account that I'm already
> > > considering closing it down.  We must now tolerate spammers closing
> > > bugs? 

> > We don't tolerate it, we put up with it as a neccessary evil [...]

> So where's the difference?

I knew that would happen, when I reread that. I think it's the idea
of zero-tolerance (eg with narcotics) VS decriminalisation...

> > > There are a lot of large projects, including the mozilla project, that
> > > require addresses to be registered with a password just to submit a
> > > bug. This is the model we should be moving toward.  The current
> > > situation is totally unacceptable.

> > And I'm sure they miss out on bugs (mine, for example) where the finder
> > doesn't feel the need for _another_ username/password combo just to
> > submit a single bug. 

> Not even *I* (heh!) suggested requiring authentication for submitting
> bug reports.  Only for controlling them thereafter.

But that was the suggestion I gleaned from the above email.
(For which I've lost the attribution... Adam, was it?)

On the other hand, if we needed gnuPG-signatures to manipulate bugs,
that'd encourage me to hurry up and enter the NM-queue, since I
already BTS-sign most bug-maintenance stuff. (Even if the initial report
is sent from a machine where I don't have my gnuPG key.)

But my stated position remains that the current openness is an
important part of the BTS, and should remain there.

> > For source-forge hosted projects, one user/pass covers many many
> > projects, and is useful to have.

> Which also about describes Debian.  What is the fundamental difference between
> SourceForge's many "projects" and Debian's many "packages"?

Here, we're talking about "the bugs on many packages" VS most of
Sourceforge. Particularly since the user/pass is required to contribute
directly to the projects, I see it more like a DD's gpg signature.

Frankly, any SF project which requires me to subscribe to their email
list to contribute, _does_ miss out on whatever I've got to say. And
if I hadn't gotten a SF user/pass back in the days when I took any
user/pass I could, I prolly wouldn't bother with one now either.

And I hope no one's actually serious planning to restrict BTS control
to people in the DD keyring.

> > A pseudo-header to match the email address for controlling bugs,
> > I guess that's acceptable to me. (I usually use control@b.d.o
> > anyway)

> Well, if it averts spammers messing with the BTS, then I'm all for it.
> I just think we may some day see other symptoms of the BTS effectively
> being anonymous, like spammers intentionally forging the
> pseudo-headers (because they deem Debian's mailing list and BTS
> archives a great spamming platform), or malicious attackers sabotaging
> the BTS.

(And of course the known problem in email signatures that you can
bounce a signed body to a different email address without problems.
Not a SPAM problem, but a problem for maliciousness. Combined with
a pseudo-header, it's _not_ a problem...)

Can't argue there... I'll leave it to minds closer to the BTS, or who
care more about SPAM.

Paul "TBBle" Hampson, MCSE
6th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)

"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"

This email is licensed to the recipient for non-commercial
use, duplication and distribution.

Attachment: signature.asc
Description: Digital signature

Reply to: