[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]

On Mon, 2015-01-19 at 10:03 +0100, Tomas Pospisek wrote:
> Am 19.01.2015 um 02:03 schrieb Ben Hutchings:
> > No, this would turn the BTS into a (worse) spam vector.
> > 
> > But the acknowledgement mail should tell you how to subscribe, if you
> > aren't already subscribed.
> But isn't subscribing participants "natural"?

It may be natural, but IMO you are underestimating the spam vector

Debian's bug submission mechanism does not try to verify you control the
email address you are submitting from.  Most other bug tracking systems
do such authentication, usually by requiring you to create an account.
Since there is no verification it becomes trivial to sign someone up to
1000's of bugs using a script.

Treating every bug submission as a subscribe request (by putting a
subscribe link in the ack) is one compromise. (I am sort of surprised
that doesn't happen already.)  Automatically subscribing a DD to any bug
he sends a signed message to is another.

I am partial to the latter, even though it is a partial solution.  It
encourages DD to sign their bug reports.  IMHO anything we can do to
encourage DD's to sign their emails to the project improves our

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: