[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reopening bug closed due to SPAM

>>>>> "Javier" == Javier Fernández-Sanguino Peña <jfs@computer.org> writes:

    Javier> If spam e-mail is going to start closing our Bugs in the
    Javier> BTS then we should start thinking about implementing
    Javier> authentication checks in the BTS...  like for example: do
    Javier> not allow control messages or -close messages with no
    Javier> attached (valid) GPG/PGP signatures (from a valid
    Javier> developer?)"

Would a GPG signature help in the long run?

The BTS closes bugs based on the address in the SMTP recipient field.

This is not GPG protected.

So a Spammer could copy an existing email from an existing developer
from mailing list archives, forge his email address, and resend
it. The signature remains valid, and the bug will still be closed.

GPG signatures don't protect data that isn't protected (such as mail
headers or SMTP session), and it doesn't protect against replay
attacks (unless you add some other mechanism, e.g. include the date
and time in the protected part of the message).
Brian May <bam@debian.org>

Reply to: