[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]

On Mon, Jan 19, 2015 at 4:41 AM, Russell Stuart wrote:
>> But isn't subscribing participants "natural"?
> It may be natural, but IMO you are underestimating the spam vector
> problem.
> Debian's bug submission mechanism does not try to verify you control the
> email address you are submitting from.  Most other bug tracking systems
> do such authentication, usually by requiring you to create an account.
> Since there is no verification it becomes trivial to sign someone up to
> 1000's of bugs using a script.

Isn't the spam vector already wide open for
nnnnnn-subscribe@bugs.debian.org, which isn't much (ab)used today?

I fail to see how any of the discussed changes open an abuse vector
that doesn't already exist.

Best wishes,

Reply to: