On Mon, 2015-01-19 at 10:03 +0100, Tomas Pospisek wrote: > Am 19.01.2015 um 02:03 schrieb Ben Hutchings: > > No, this would turn the BTS into a (worse) spam vector. > > > > But the acknowledgement mail should tell you how to subscribe, if you > > aren't already subscribed. > > But isn't subscribing participants "natural"? It may be natural, but IMO you are underestimating the spam vector problem. Debian's bug submission mechanism does not try to verify you control the email address you are submitting from. Most other bug tracking systems do such authentication, usually by requiring you to create an account. Since there is no verification it becomes trivial to sign someone up to 1000's of bugs using a script. Treating every bug submission as a subscribe request (by putting a subscribe link in the ack) is one compromise. (I am sort of surprised that doesn't happen already.) Automatically subscribing a DD to any bug he sends a signed message to is another. I am partial to the latter, even though it is a partial solution. It encourages DD to sign their bug reports. IMHO anything we can do to encourage DD's to sign their emails to the project improves our security.
Attachment:
signature.asc
Description: This is a digitally signed message part