Re: Lots of (easily recognisible) spam sent to the BTS today
On Wed November 1 2006 16:20, Javier Fernández-Sanguino Peña wrote:
> When I have suggested that (sending signed messages to the BTS to be
> accepted for processing) it was
> a) for mails to -close or to firstname.lastname@example.org to prevent a
> spammer/malicious person from closing all the bugs or mangling with
> the BTS in such a way that would take us some effort to recover
> b) restricted to providing a signed mail, not necessarily with a
> signature in the DD keyring. (this could be added later on to prevent
> abuse, if needed be and could still have a 'whitelist' of valid keys
> which could include non-DDs)
> If there's a non-DD playing with the BTS (closing bugs or using
> control@) I guess it's not really too much to ask for them to use
> signed e-mails when fiddling with it. Is it?
I don't think so. Although, it is weaker than a pseudoheader since it
would be easier for spammers to sign their messages than look up the
package name associated with a particular bug number, and less effort
than keeping a whitelist. Furthermore, it would be clear that a spammer
was targeting Debian if they did the name<->number look up... which
would make it easier to make a case that they are intentionally
interfering with Debian's systems.
Keep in mind that my original response was to your post which stated:
"...implemented so as to only consider GPG/PGP signed mail from DDs..."