[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]

On Wed, 2015-01-21 at 21:10 -0500, Michael Gilbert wrote:
> So anyway, nnnnnn-subscribe can be used to spam confirmation messages
> currently, and general mail to the bts from an unknown address will
> end up doing the same, but it's basically a non-issue because it's a
> rather uninteresting thing to do for anyone that might consider
> wanting to do it.

I don't know how interesting it would be on an absolute scale, it
certainly would be "more interesting than it is now" if we remove the
authentication we have.

The reason is all that happens now is you get one unwanted email and
that is the end of it.  In particular the attacker can't force you do to
something to prevent the bugs.debian.org from sending further unwanted
emails.  If you get rid of authentication then the victim, be it you, or
your mother, or your local police constable, will have to tell the
Debian bugs system to unsubscribe them from a list they never subscribed
to in the first place.

Perhaps you can suggest a way of explaining the situation to our mothers
or local law enforcement agents so they don't end up blaming the Debian
bugs system for putting them in this predicament.  I struggling to come
up with something they would swallow once they learn we could have
designed the system to avoid it, but chose not to because we found it
convenient to inconvenience them.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: