Re: Reopening bug closed due to SPAM

To: debian-devel@lists.debian.org
Subject: Re: Reopening bug closed due to SPAM
From: Brian May <bam@debian.org>
Date: Fri, 22 Jul 2005 16:53:48 +1000
Message-id: <[🔎] sa4ll3zz5z7.fsf@snoopy.microcomaustralia.com.au>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20050720223148.GA12271@silicio> (Javier Fernández-Sanguino Peña's message of "Thu, 21 Jul 2005 00:31:48 +0200")
References: <[🔎] 20050720223148.GA12271@silicio>

>>>>> "Javier" == Javier Fernández-Sanguino Peña <jfs@computer.org> writes:

    Javier> If spam e-mail is going to start closing our Bugs in the
    Javier> BTS then we should start thinking about implementing
    Javier> authentication checks in the BTS...  like for example: do
    Javier> not allow control messages or -close messages with no
    Javier> attached (valid) GPG/PGP signatures (from a valid
    Javier> developer?)"

Would a GPG signature help in the long run?

The BTS closes bugs based on the address in the SMTP recipient field.

This is not GPG protected.

So a Spammer could copy an existing email from an existing developer
from mailing list archives, forge his email address, and resend
it. The signature remains valid, and the bug will still be closed.

GPG signatures don't protect data that isn't protected (such as mail
headers or SMTP session), and it doesn't protect against replay
attacks (unless you add some other mechanism, e.g. include the date
and time in the protected part of the message).
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Reopening bug closed due to SPAM
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Work-needing packages report for Jul 22, 2005
Next by Date: Re: Mass-filing bugs based on piuparts?
Previous by thread: Re: Reopening bug closed due to SPAM
Next by thread: Re: Reopening bug closed due to SPAM
Index(es):
- Date
- Thread