|
Home > Archive > Debian Developers > March 2004 > spam closes Debian bugs!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
spam closes Debian bugs!
|
|
| josh buhl 2004-03-13, 5:33 am |
| I just got notified that one of my submitted bugs had been closed. When
I checked to see what the resolution was, I saw that the bug had been
closed by a spammer who had sent a spam to 190721-close@bugs.debian.org
This obviously jeopardizes the integrity of the entire bug tracking system!
Good Luck!
Josh Buhl
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Isaac Clerencia 2004-03-13, 5:33 am |
| | |
| Florent Rougon 2004-03-13, 5:33 am |
| Isaac Clerencia <isaac@sindominio.net> wrote:
> While I definitely see this as bad(TM), i don't see this as a big
> breakdown of our BTS. As long as developers keep an eye at the bugs
> reports, and attend theire mail I don't see a major problem in this.
And if people stopped writing full unobfuscated bug closing addresses
ready for spammers to use in harvested places like Debian lists, I bet
there would be no such problem.
--
Florent
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Mathieu Roy 2004-03-13, 6:33 am |
| Isaac Clerencia <isaac@sindominio.net> wrote:
> On Saturday 13 March 2004 10:38, josh buhl wrote:
>
> While I definitely see this as bad(TM), i don't see this as a big breakdown of
> our BTS. As long as developers keep an eye at the bugs reports, and attend
> theire mail I don't see a major problem in this.
Still, it is strange to see that any bug can be closed without being
sure of the origin of the request. The bug tracker should check GPG
signatures on mails sent, at on least mails sent to control@ and
nnnn-done@. It does not means restricting control@ and nnnn-done@,
but it should take more than sending a mail to fool them. Being force
to create a GPG signature (and so creating an address) for each spam,
I'm not sure it would make spammers happy.
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i.../flawed-english |
+---------------------------------------------------------------------+
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-13, 6:33 am |
| * Mathieu Roy (yeupou@gnu.org) [040313 11:55]:
> Still, it is strange to see that any bug can be closed without being
> sure of the origin of the request. The bug tracker should check GPG
> signatures on mails sent, at on least mails sent to control@ and
> nnnn-done@. It does not means restricting control@ and nnnn-done@,
> but it should take more than sending a mail to fool them. Being force
> to create a GPG signature (and so creating an address) for each spam,
> I'm not sure it would make spammers happy.
I've never signed my mails to the bts, and I'm sometimes sending mails
from places where I don't have access to my gpg-key.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-13, 7:33 am |
| Andreas Barth wrote:
> I've never signed my mails to the bts, and I'm sometimes sending mails
> from places where I don't have access to my gpg-key.
Oh, no. Not this silly kind of argument.
I sometimes would like to set up call forwardings for my home phone from =
places where I don't have access to it. Should my telco allow my phone =
line to be configured from anywhere without authentication?
So, to start over, I'll just ask: So what? Where's the problem with =
not being able to *control* bug reports from *everywhere*?
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Thomas Viehmann 2004-03-13, 8:33 am |
| Julian Mehnle wrote:
> So, to start over, I'll just ask: So what? Where's the problem with
> not being able to *control* bug reports from *everywhere*?
If you restrict closing of bug reports:
Who should be allowed to close bug reports? Only the maintainer? Only
DDs? I think both of these options are essentially a non-answer.
An other thing is that taking options away from people for no good
reason isn't usually playing well with the users. At least the current
type of spam problem could be easily averted by closing bugs via
requiering "Closes: " pseudoheader.
Cheers
T.
--
Thomas Viehmann, <http://beamnet.de/tv/>
| |
| Julian Mehnle 2004-03-13, 8:33 am |
| Thomas Viehmann wrote:
> Julian Mehnle wrote:
with[color=darkred]
>=20
> If you restrict closing of bug reports:
> Who should be allowed to close bug reports? Only the maintainer? Only
> DDs? I think both of these options are essentially a non-answer.
Only DDs, the maintainer, and the reporter -- if his initial report was =
signed.
> An other thing is that taking options away from people for no good
> reason isn't usually playing well with the users.
Careful. There *is* a good reason. Maybe it isn't good enough, but it =
is there.
> At least the current type of spam problem could be easily averted
> by closing bugs via requiering "Closes: " pseudoheader.
That would be another possibility. No problem with me -- until some =
class of attackers start attacking the BTS systematically.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-13, 8:33 am |
| * Thomas Viehmann (tv@beamnet.de) [040313 12:40]:
> Julian Mehnle wrote:
> If you restrict closing of bug reports:
> Who should be allowed to close bug reports? Only the maintainer? Only
> DDs? I think both of these options are essentially a non-answer.
Quite easy: Anyone who's mail address is
- in the keyring,
- maintainer of any packages or
- subscribed to any mailing list, including the whitelist
- reporter of this bug (any bug?)
Who doesn't match any of these conditions does not really need to
close bugs.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-13, 8:33 am |
| * Julian Mehnle (lists@mehnle.net) [040313 12:40]:
> I sometimes would like to set up call forwardings for my home phone
> from places where I don't have access to it. Should my telco allow
> my phone line to be configured from anywhere without authentication?
You can definitly do that, if you are a important enough customer.
> So, to start over, I'll just ask: So what? Where's the problem
> with not being able to *control* bug reports from *everywhere*?
Because it _is_ quite a useful feature. And - who should be allowed to
sign it? Everyone who has a gpg key? Everyone who is a DD? Why place
the additional burden of signing mails?
If it _really_ is a problem (please be aware, we had that only once
till now), then there are better ways to control it. Including from
verification, as it _is_ currently done for the mailing lists.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-13, 8:33 am |
| * Julian Mehnle (lists@mehnle.net) [040313 13:10]:
> Thomas Viehmann wrote:
[color=darkred]
> Only DDs, the maintainer, and the reporter -- if his initial report
> was signed.
Come on. You're trying to fix a problem we don't really have. Please:
If it is not broken, than don't fix it.
And: There are some non-DDs who do just great QA-work. You don't want
to exclude them? And: Why should a non-DD not be allowed to start
helping out at any package before he is added to the uploaders field?
That doesn't make any sense, and starting helping to sort out bug
reports is something that's quite often _really_ helpful to the
maintainer.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Metzler 2004-03-13, 8:33 am |
| Julian Mehnle <lists@mehnle.net> wrote:
> Andreas Barth wrote:
[color=darkred]
> Oh, no. Not this silly kind of argument.
This is _not_ silly.
> I sometimes would like to set up call forwardings for my home phone
> from places where I don't have access to it. Should my telco allow
> my phone line to be configured from anywhere without authentication?
No, because the loss is bigger than the gain.
> So, to start over, I'll just ask: So what? Where's the problem
> with not being able to *control* bug reports from *everywhere*?
It limits the locations I can do Debian work from and makes
interacting with the BTS more work.
You have to balance costs and benefits when diciding upon such issues.
We have heard of just *one* single bug report being closed by spam so,
the benefit is clearly minimal *currently*.
cu andreas
--
NMUs aren't an insult, they're not an attack, and they're
not something to avoid or be ashamed of.
Anthony Towns in 2004-02 on debian-devel
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-13, 8:33 am |
| Andreas Barth wrote:
> * Julian Mehnle (lists@mehnle.net) [040313 12:40]:
>=20
> You can definitly do that, if you are a important enough customer.
....without authentication? I don't think so.
>=20
> Because it _is_ quite a useful feature. And - who should be allowed to
> sign it? Everyone who has a gpg key? Everyone who is a DD? Why place
> the additional burden of signing mails?
You already answered[1] your own question.
> If it _really_ is a problem (please be aware, we had that only once
> till now)
I'm not sure, but I don't think this is true. At least some closed bugs =
had been reopened by spam (or vice versa, I don't remember right now) in =
the past.
[1] Message-ID: <20040313120439.GF15208@mails.so.argh.org>
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-13, 8:34 am |
| Andreas Barth wrote:
> * Julian Mehnle (lists@mehnle.net) [040313 13:10]:
>=20
> Come on. You're trying to fix a problem we don't really have. Please:
> If it is not broken, than don't fix it.
I'm just not one of these conservatives who fix real problems not until =
massive damage has already been caused. I'm clearly seeing a big =
potential problem here, and I'm suggesting a solution *before* =
significant damage has been caused.
> And: There are some non-DDs who do just great QA-work. You don't want
> to exclude them? And: Why should a non-DD not be allowed to start
> helping out at any package before he is added to the uploaders field?
We need to weight the advantage of less bureaucracy against the =
disadvantage of less security. I deem it an acceptable compromise to =
restrict the *control* of bug reports to people we are sure we can =
trust. And yes, as I am no DD, my suggestion would exclude *me* from =
*controlling* any bugs I didn't report or bugs for packages I don't =
maintain. And I have no problem with that.
> helping to sort out bug reports is something that's quite often
> _really_ helpful to the maintainer.=20
So what's the problem with becoming a co-maintainer?
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-13, 8:34 am |
| Andreas Metzler wrote:
>=20
> It limits the locations I can do Debian work from and makes
> interacting with the BTS more work.
Not necessarily. You could carry your private key with you on a USB =
key. Or whatever.
> You have to balance costs and benefits when diciding upon such issues.
I absolutely agree.
> We have heard of just *one* single bug report being closed by spam so,
> the benefit is clearly minimal *currently*.
Maybe. But I'm not just talking about *currently*. I'm not that =
short-sighted.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Bartosz Fenski aka fEnIo 2004-03-13, 8:34 am |
| On Sat, Mar 13, 2004 at 01:35:24PM +0100, Julian Mehnle wrote:
> I'm just not one of these conservatives who fix real problems not
> until massive damage has already been caused. I'm clearly seeing a big
> potential problem here, and I'm suggesting a solution *before*
> significant damage has been caused.
I agree with Julian. That's pretty obvious that prevention is much
better resolution than fixing damages.
Yep, now it's *one* event, but we can't be sure what will happened next.
I'm not a DD yet, but what are the benefits of allowing someone
untrusted to close BTS's bugs?
We are not talking about restriction for sending comments, patches and
so on. But closing bugs should be allowed for DD's and probably for
persone who opened such bug.
regards
fEnIo
--
_ Bartosz Feński aka fEnIo | mailto:fenio@o2.pl | pgp:0x13fefc40
_|_|_ 32-050 Skawina - Głowackiego 3/15 - w. małopolskie - Polska
(0 0) phone:+48602383548 | ICQ:46704720 | GG:726362 | IRC:fEnIo
ooO--(_)--Ooo http://skawina.eu.org | JID:fenio@jabber.org | RLU:172001
| |
| Andreas Metzler 2004-03-13, 9:33 am |
| Julian Mehnle <lists@mehnle.net> wrote:
> Andreas Metzler wrote:
[color=darkred]
[color=darkred]
> Not necessarily. You could carry your private key with you on a USB
> key. Or whatever.
Signing mails is work.
[color=darkred]
> I absolutely agree.
[color=darkred]
> Maybe. But I'm not just talking about *currently*. I'm not that
> short-sighted.
I am not short sighted either, which is why I have not said "we may
not force signing ever in a gazilllion years because *currently* the
benefit is minimal" but "...not force signing *now* because
*currently*...".
Fix the problem once it exist.
cu andreas
--
NMUs aren't an insult, they're not an attack, and they're
not something to avoid or be ashamed of.
Anthony Towns in 2004-02 on debian-devel
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-13, 10:34 am |
| Andreas Metzler wrote:
> Signing mails is work.
Writing mails is significantly more work. At least it should be.
>=20
> I am not short sighted either, which is why I have not said "we may
> not force signing ever in a gazilllion years because *currently* the
> benefit is minimal" but "...not force signing *now* because
> *currently*...".
>=20
> Fix the problem once it exist.
It already exists. The problem is that *everyone* can control bugs in =
the BTS. Spammers unintentionally closing bugs is not the problem, it's =
just one of the possible symptoms.=20
What you basically suggest is waiting until the problem displays more =
symptoms, causing significant damage.
What I suggest is a solution that IMO doesn't cause unproportional =
trouble for people who need to control bugs in the BTS.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Paul Hampson 2004-03-13, 10:34 am |
| On Sat, Mar 13, 2004 at 10:38:53AM +0100, josh buhl wrote:
> I just got notified that one of my submitted bugs had been closed. When
> I checked to see what the resolution was, I saw that the bug had been
> closed by a spammer who had sent a spam to 190721-close@bugs.debian.org
> This obviously jeopardizes the integrity of the entire bug tracking system!
As I remember, you report this to owner@bugs.debian.org (or somesuch,
you wanna check that) and they will flush out that spam and fix its
wild changes to the bug status database.
Normally the maintainer would report it upon seeing a SPAM come in to
the bug-closing address... Unless their local SPAM-filter chucks the
message, I guess. :-)
--
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
6th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson@Anu.edu.au
"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"
This email is licensed to the recipient for non-commercial
use, duplication and distribution.
-----------------------------------------------------------
| |
| Andreas Metzler 2004-03-13, 11:34 am |
| Julian Mehnle <lists@mehnle.net> wrote:
> Andreas Metzler wrote:
[...]
[color=darkred]
[color=darkred]
[color=darkred]
> It already exists. The problem is that *everyone* can control bugs
> in the BTS.
[...]
No, this is no problem this is how it is supposed to work. It only
would be a problem if it was abused.
cu andreas
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Mathieu Roy 2004-03-13, 11:34 am |
| Andreas Barth <aba@not.so.argh.org> wrote:
> * Julian Mehnle (lists@mehnle.net) [040313 13:10]:
>
>
> Come on. You're trying to fix a problem we don't really have. Please:
> If it is not broken, than don't fix it.
>
> And: There are some non-DDs who do just great QA-work. You don't want
> to exclude them? And: Why should a non-DD not be allowed to start
> helping out at any package before he is added to the uploaders field?
> That doesn't make any sense, and starting helping to sort out bug
> reports is something that's quite often _really_ helpful to the
> maintainer.
I personally did not suggested to restrict access to bugs control. I'm
just saying that spammers are probably not going to create a gpg key,
send it to a keyserver, just to spam the Debian BTS.
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i.../flawed-english |
+---------------------------------------------------------------------+
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Mathieu Roy 2004-03-13, 11:34 am |
| Andreas Metzler <ametzler@downhill.at.eu.org> wrote:
> Julian Mehnle <lists@mehnle.net> wrote:
>
>
>
> Signing mails is work.
Then you clearly use broken tools. I'm sorry but with all the mailers
I know, signing a mail is just clicking on a button or typing a
shortcut, and then typing the passphrase.
> I am not short sighted either, which is why I have not said "we may
> not force signing ever in a gazilllion years because *currently* the
> benefit is minimal" but "...not force signing *now* because
> *currently*...".
>
> Fix the problem once it exist.
It already happened that a bug report was closed by a spam. So the
problem does exists, you cant deny it. What you can say it that you are
questioning the importance of the issue.
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i.../flawed-english |
+---------------------------------------------------------------------+
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Pascal Hakim 2004-03-13, 11:34 am |
| On Sat, Mar 13, 2004 at 04:54:20PM +0100, Mathieu Roy wrote:
>
> Then you clearly use broken tools. I'm sorry but with all the mailers
> I know, signing a mail is just clicking on a button or typing a
> shortcut, and then typing the passphrase.
>
If you have decided to not leave your GPG key on a network-accessible
computer, signing a message requires going over sneaker-net, and is
work.
Cheers,
Pasc
--
Pascal Hakim +61 4 0341 1672
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Joey Hess 2004-03-13, 11:34 am |
| Andreas Metzler wrote:
> You have to balance costs and benefits when diciding upon such issues.
> We have heard of just *one* single bug report being closed by spam so,
> the benefit is clearly minimal *currently*.
It's happened several times, and we have had this exact thread several
times. Therefore, this thread is pointless.
--
see shy jo
| |
| Andreas Barth 2004-03-13, 12:34 pm |
| * Julian Mehnle (lists@mehnle.net) [040313 13:40]:
> Andreas Metzler wrote:
[color=darkred]
[color=darkred]
> Not necessarily. You could carry your private key with you on a USB
> key. Or whatever.
Sorry, but I try to protect my private key. There are computers where
I do QA work from (and send mail to the bts), but where I _won't_ plug
into my private key. Because: If someone gets access to my private
key, he can do a lot of damage.
Well, and please become maintainer of at least one package before
trying to enforce some restrictions on the way package maintainers can
do their work.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Mathieu Roy 2004-03-13, 12:34 pm |
| Joey Hess <joeyh@debian.org> wrote:
> Andreas Metzler wrote:
>
> It's happened several times, and we have had this exact thread several
> times. Therefore, this thread is pointless.
How the fact that no consensus has been ever reached on the subject
could mean that the subject is pointless?
The subject would be pointless if there were no problem and no
proposal.
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i.../flawed-english |
+---------------------------------------------------------------------+
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-13, 12:34 pm |
| * Julian Mehnle (lists@mehnle.net) [040313 13:40]:
> Andreas Barth wrote:
[color=darkred]
[color=darkred]
> I'm just not one of these conservatives who fix real problems not
> until massive damage has already been caused. I'm clearly seeing a
> big potential problem here, and I'm suggesting a solution *before*
> significant damage has been caused.
Blah. _You're_ doing damange in wasting time of maintainers.
[color=darkred]
> We need to weight the advantage of less bureaucracy against the
> disadvantage of less security. I deem it an acceptable compromise
> to restrict the *control* of bug reports to people we are sure we
> can trust. And yes, as I am no DD, my suggestion would exclude *me*
> from *controlling* any bugs I didn't report or bugs for packages I
> don't maintain. And I have no problem with that.
Yes, you don't maintain any packages and don't do any QA work and
don't be a DD. So please restrict yourself to speaking about things
you know, and don't try to put restrictions on the way other people do
their work.
[color=darkred]
> So what's the problem with becoming a co-maintainer?
Do you think I should add someone to uploaders _before_ he has started
to prove that he has clue? Or should I sponsor each message of him to
the BTS? I'm reading _every_ change regarding a bug of any of my
packages - and I'll fix it if something breaks.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-13, 12:34 pm |
| * Bartosz Fenski aka fEnIo (fenio@o2.pl) [040313 14:10]:
> We are not talking about restriction for sending comments, patches and
> so on. But closing bugs should be allowed for DD's and probably for
> persone who opened such bug.
I disagree. What if someone helping we with some of my packages is
closing bugs because they're void? Would I need to sponsor the
changing? That's ridicoulus.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-13, 12:34 pm |
| * Joey Hess (joeyh@debian.org) [040313 17:25]:
> Andreas Metzler wrote:
[color=darkred]
> It's happened several times, and we have had this exact thread several
> times. Therefore, this thread is pointless.
Well, the mailing list admins have implemented some good ideas to
reduce spam on the mailing lists. Perhaps some of their ideas would
also match for the BTS, without restrict legitimate usage.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Metzler 2004-03-13, 1:34 pm |
| Mathieu Roy <yeupou@gnu.org> wrote:
> Andreas Metzler <ametzler@downhill.at.eu.org> wrote:
[color=darkred]
[color=darkred]
[color=darkred]
[color=darkred]
> Then you clearly use broken tools. I'm sorry but with all the mailers
> I know, signing a mail is just clicking on a button or typing a
> shortcut, and then typing the passphrase.
Your passphrase is too simple. ;-)
[color=darkred]
[color=darkred]
> It already happened that a bug report was closed by a spam. So the
> problem does exists, you cant deny it. What you can say it that you are
> questioning the importance of the issue.
Not the importance but the extent, and I claim that one bug being
closed by spam is no problem.
cu andreas
--
NMUs aren't an insult, they're not an attack, and they're
not something to avoid or be ashamed of.
Anthony Towns in 2004-02 on debian-devel
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-13, 1:34 pm |
| Andreas Barth wrote:
> * Julian Mehnle (lists@mehnle.net) [040313 13:40]:
>=20
> Sorry, but I try to protect my private key. There are computers where
> I do QA work from (and send mail to the bts), but where I _won't_ plug
> into my private key. Because: If someone gets access to my private
> key, he can do a lot of damage.
Since when are plugged USB keys automatically shared throughout the =
network? And since when can you not encrypt your private key with a =
passphrase? Don't tell me the computer you store your private key on =
has no network/internet access.
> Well, and please become maintainer of at least one package before
> trying to enforce some restrictions on the way package maintainers can
> do their work.=20
I knew that would come as soon as someone had the feeling he was losing =
the argument, but luckily I'm confident enough so I cannot be bothered =
by such elitism bullshit. How would me being a DD or a package =
maintainer change the validity of my arguments? This is a serious =
question for which I'd like to receive a serious answer. Further, I =
invite you to show me where I was trying to enforce *anything*.
You yourself claimed that "there are some non-DDs who do just great =
QA-work". Incidentally, I'm one of these, and I have reported and =
helped to debug numerous Debian bugs in the past, which I consider =
valuable QA work. Besides, I may not be a DD or a Debian package =
maintainer, but I do have written non-Debian software and have used =
bugtrackers in the process, so I actually know what I'm talking about.
> Yes, you don't maintain any packages and don't do any QA work and
> don't be a DD. So please restrict yourself to speaking about things
> you know, and don't try to put restrictions on the way other people do
> their work.
Sure. Whatever.
> Blah. _You're_ doing damange in wasting time of maintainers.
Certainly not. Nobody has to read my messages. Even *you* are free to =
ignore me, instead of trying to scare me away with elitism and unfounded =
ad hominem attacks.
| |
| Thomas Viehmann 2004-03-13, 2:34 pm |
| Julian Mehnle wrote:
> Only DDs, the maintainer, and the reporter -- if his initial report was signed.
That's unreasonable from my point of view and does not buy any security:
The header is not signed. I could just take any signed mail and use that
to close anything.
(And yes, I have closed some bug reports where I try to help out.)
> Careful. There *is* a good reason. Maybe it isn't good enough, but it is there.
No. At best, you have can argue that there is a harm, significance is
utterly questionable. You aren't even close to having a prima facie
reasonable argument in favor of your solution.
> That would be another possibility. No problem with me -- until
> some class of attackers start attacking the BTS systematically.
Your proposal doesn't solve this.
Cheers
T.
--
Thomas Viehmann, <http://beamnet.de/tv/>
| |
| Chad Walstrom 2004-03-13, 3:33 pm |
| On Sat, Mar 13, 2004 at 10:58:21AM +0100, Isaac Clerencia wrote:
> While I definitely see this as bad(TM), i don't see this as a big
> breakdown of our BTS. As long as developers keep an eye at the bugs
> reports, and attend theire mail I don't see a major problem in this.
Perhaps it's time for cookie auto-replies for emails to BTS.
--
Chad Walstrom <chewie@wookimus.net> http://www.wookimus.net/
assert(expired(knowledge)); /* core dump */
| |
| Andreas Barth 2004-03-13, 3:33 pm |
| * Julian Mehnle (lists@mehnle.net) [040313 19:21]:
> Andreas Barth wrote:
[color=darkred]
[color=darkred]
> Since when are plugged USB keys automatically shared throughout the
> network? And since when can you not encrypt your private key with a
> passphrase?
Since when is it possible to install a keylogger, or (as root) change
the gpg binary? And I work at computers I don't trust enough that they
may get access to my gpg key in any way.
>
> I knew that would come as soon as someone had the feeling he was
> losing the argument, but luckily I'm confident enough so I cannot be
> bothered by such elitism bullshit. How would me being a DD or a
> package maintainer change the validity of my arguments? This is a
> serious question for which I'd like to receive a serious answer.
Well, of course it doesn't change the validity. Your arguments are
wrong, but _perhaps_ you'd recognize it yourself.
> Certainly not. Nobody has to read my messages. Even *you* are free
> to ignore me
Ok, I'll do that in future. You're honored to be the first one on the
debian mailing lists whom I'm going to ignore completly.
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Florent Rougon 2004-03-13, 3:33 pm |
| "Julian Mehnle" <lists@mehnle.net> wrote:
> Since when are plugged USB keys automatically shared throughout the
> network? And since when can you not encrypt your private key with a
> passphrase? Don't tell me the computer you store your private key on
> has no network/internet access.
You don't understand. The point is about managing bugs from just about
any Internet-connected computer. Using your GPG key on such a computer
is very dangerous. This is indeed one of the best ways to have it
compromised.
The password doesn't protect it, by the way. If you want to do something
with a bug, you'll have to type the password. On a cracked computer,
this means giving the password to the attacker.
[ For the rest of your message: please learn to wrap. ]
--
Florent
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-13, 3:33 pm |
| * Chad Walstrom (chewie@wookimus.net) [040313 19:50]:
> On Sat, Mar 13, 2004 at 10:58:21AM +0100, Isaac Clerencia wrote:
[color=darkred]
> Perhaps it's time for cookie auto-replies for emails to BTS.
_Please_ don't try to implement another way of wasting maintainers time.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Florian Weimer 2004-03-13, 3:33 pm |
| Mathieu Roy wrote:
> Still, it is strange to see that any bug can be closed without being
> sure of the origin of the request.
I suppose this is a feature. This way, you can fix some issues
(duplicates, non-bugs) even though you aren't a developer.
--
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com,
libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz,
tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Mark Brown 2004-03-13, 3:33 pm |
| On Sat, Mar 13, 2004 at 06:52:56PM +0100, Julian Mehnle wrote:
> passphrase? Don't tell me the computer you store your private key on
> has no network/internet access.
That is what is generally considered best practice. My understanding is
that several developers actually manage to do this.
--
"You grabbed my hand and we fell into it, like a daydream - or a fever."
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Thomas Viehmann 2004-03-13, 3:33 pm |
| Julian Mehnle wrote:
> Since when are plugged USB keys automatically shared throughout the network?
> And since when can you not encrypt your private key with a passphrase?
Don't
> tell me the computer you store your private key on has no
network/internet access.
Plugging USB keys makes them available on the computer you plug it into,
same as if it was stored on it's harddrive.
> I knew that would come as soon as someone had the feeling he was losing
> he argument, but luckily I'm confident enough so I cannot be bothered
> by such elitism bullshit. How would me being a DD or a package
maintainer
> change the validity of my arguments? This is a serious question for
> which I'd like to receive a serious answer.
If you had maintained a package or helped out with maintenance, you
could assess how much limiting the bts control access would impact you.
That'd be one datapoint, not much, but certainly more than zero.
Kind regards
T.
--
Thomas Viehmann, <http://beamnet.de/tv/>
| |
| Clint Adams 2004-03-13, 5:34 pm |
| > It already exists. The problem is that *everyone* can control bugs in the BTS. Spammers unintentionally closing bugs is not the problem, it's just one of the possible symptoms.
No, the problem is that someone wants to change this behavior.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| John Hasler 2004-03-13, 6:34 pm |
| Thomas Viehmann writes:
> If you had maintained a package or helped out with maintenance, you could
> assess how much limiting the bts control access would impact you. That'd
> be one datapoint, not much, but certainly more than zero.
I'm about to close a bug on one of my packages because it is now getting
several spams a day. Perhaps I should just let the spammers do it for me.
I don't think that the BTS should require GPG signatures, but something
like a required pseudo-header might be a good idea.
--
John Hasler
john@dhh.gt.org
Dancing Horse Hill
Elmwood, Wisconsin
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Wouter Verhelst 2004-03-13, 6:34 pm |
| On Sat, Mar 13, 2004 at 11:50:03AM +0100, Mathieu Roy wrote:
> but it should take more than sending a mail to fool them. Being force
> to create a GPG signature (and so creating an address) for each spam,
> I'm not sure it would make spammers happy.
So, you would like to see our mailservers DoSed because they need to
throw CPU power at anything that vaguely resembles a PGP signature?
--
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
-- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
| |
| Wouter Verhelst 2004-03-13, 6:34 pm |
| On Sat, Mar 13, 2004 at 04:54:20PM +0100, Mathieu Roy wrote:
> Andreas Metzler <ametzler@downhill.at.eu.org> wrote:
>
> Then you clearly use broken tools. I'm sorry but with all the mailers
> I know, signing a mail is just clicking on a button or typing a
> shortcut, and then typing the passphrase.
I hope for your sake that your passphrase is not just a single-letter
thingy. If it is, thanks for providing me with some inside information
to work on my web of trust; if it isn't, well, the most work in signing
*anything* is exactly in typing the passphrase. My gpg passphrase is
significantly longer than my 8-letter logon password; entering that when
sending a mail is what I call "work", even with the 60-second timeout
mutt gives me when signing a mail (since usually, it takes me more than
that time to prepare the mail.
>
> It already happened that a bug report was closed by a spam.
*newsflash*
It's happened multiple times, not just once. Once a bugreport has been
closed (with the -close address) and reopened, there's a -close address
on the web ready for harvesters; that's when spam closes bugs.
--
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
-- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
| |
| Julian Mehnle 2004-03-13, 7:34 pm |
| Thomas Viehmann wrote:
> Julian Mehnle wrote:
>=20
> That's unreasonable from my point of view and does not buy any =
security:
> The header is not signed. I could just take any signed mail and use
> that to close anything. (And yes, I have closed some bug reports where
> I try to help out.)=20
Of course the control messages would need to be signed by recognized =
keys. That was implicit in my suggestion, as the identity of a control =
message sender cannot sensibly be verified with confidence any other =
way. Apparently, that wasn't obvious enough for some readers.
> At best, you have can argue that there is a harm, significance is
> utterly questionable. You aren't even close to having a prima facie
> reasonable argument in favor of your solution.
Well, obviously there are a lot of people here who don't even recognize =
the harm (which has already been proven by the recent spam-closed bug). =
Plus, others do recognize the harm but consider my suggestion overkill. =
As a non-maintainer, it is not *my* packages' bug reports that are prone =
to abuse, so I'll accept that and stop participating in this thread.
>=20
> Your proposal doesn't solve this.
Yes, it does, as long as an attacker's key isn't trusted by the BTS.
Florent Rougon wrote:
> The point is about managing bugs from just about
> any Internet-connected computer. Using your GPG key on such a computer
> is very dangerous. This is indeed one of the best ways to have it
> compromised.=20
>=20
> The password doesn't protect it, by the way. If you want to do =
something
> with a bug, you'll have to type the password. On a cracked computer,
> this means giving the password to the attacker.
For someone *that* paranoid, you're astoundingly ignorant of the BTS' =
security vulnerability. Users could even use separate crypto key pairs =
for BTS purposes. Oh well, inertia rules.
Wouter Verhelst wrote:
> So, you would like to see our mailservers DoSed because they need to
> throw CPU power at anything that vaguely resembles a PGP signature?
By all means better than letting "our" (will you sue me for saying that =
because I'm no DD?) human bug handlers be DoSed.
| |
| Julian Mehnle 2004-03-13, 7:34 pm |
| One last thing:
Florent Rougon wrote:
> "Julian Mehnle" <lists@mehnle.net> wrote:
>=20
> [ For the rest of your message: please learn to wrap. ]
Why don't you tell that to your mail reader?
My messages *are* wrapped in their raw state. Since they are =
transfer-encoded as quoted-printable, your mail reader unwraps them, and =
it should re-wrap them according to your terminal/window width or =
custom-configured wrap width. This is by the design of =
quoted-printable.
| |
| Daniel Jacobowitz 2004-03-13, 10:34 pm |
| On Sun, Mar 14, 2004 at 12:49:20AM +0100, Julian Mehnle wrote:
> One last thing:
>
> Florent Rougon wrote:
>
> Why don't you tell that to your mail reader?
>
> My messages *are* wrapped in their raw state. Since they are
> transfer-encoded as quoted-printable, your mail reader unwraps them,
> and it should re-wrap them according to your terminal/window width or
> custom-configured wrap width. This is by the design of
> quoted-printable.
(A) this is off topic for -devel, please let's not again.
(B) That's by the design of format=flowed, which is entirely different.
quoted-printable is only a transfer encoding; it can be, and
occasionally is, used for binary data. There is no more or less room
for well-behaved mail readers to wrap q-p data than there is to wrap
7bit or 8bit data.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Manoj Srivastava 2004-03-13, 11:34 pm |
| [color=darkred]
> On Sat, Mar 13, 2004 at 06:52:56PM +0100, Julian Mehnle wrote:
My key has never been on a mchine connected to a network. It
has never been on a hard drive of a machine. It has never been
mounted on a machine that has not been cold booted from known read
only media (and disconnected from the network _before_ being
rebooted). This has been standard operating procedure since '97 (I
must confess to having my key on a hard drive prior to '97).
manoj
--
We the unwilling, led by the ungrateful, are doing the
impossible. We've done so much, for so long, with so little, that we
are now qualified to do something with nothing.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Colin Watson 2004-03-14, 12:33 am |
| On Sat, Mar 13, 2004 at 02:25:30PM -0600, John Hasler wrote:
> Thomas Viehmann writes:
>
> I'm about to close a bug on one of my packages because it is now
> getting several spams a day. Perhaps I should just let the spammers
> do it for me.
>
> I don't think that the BTS should require GPG signatures, but
> something like a required pseudo-header might be a good idea.
A required pseudo-header may happen at some point in the future, but it
will certainly not be done in a hurry or without due thought.
I heartily agree with those people who have observed that requiring a
GPG signature would be an excessive burden.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Colin Watson 2004-03-14, 12:33 am |
| On Sun, Mar 14, 2004 at 02:22:07AM +1100, Paul Hampson wrote:
> On Sat, Mar 13, 2004 at 10:38:53AM +0100, josh buhl wrote:
>
>
> As I remember, you report this to owner@bugs.debian.org (or somesuch,
> you wanna check that) and they will flush out that spam and fix its
> wild changes to the bug status database.
He did, having already reopened the bug himself. We removed the spam
from the bug log promptly.
> Normally the maintainer would report it upon seeing a SPAM come in to
> the bug-closing address... Unless their local SPAM-filter chucks the
> message, I guess. :-)
There's also a file on master with a list of addresses that have closed
bugs recently; I browse it from time to time to make sure none of them
look too spammish.
--
Colin Watson [cjwatson@flatline.org.uk]
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Tille 2004-03-14, 3:33 am |
| On Sun, 14 Mar 2004, Colin Watson wrote:
> There's also a file on master with a list of addresses that have closed
> bugs recently; I browse it from time to time to make sure none of them
> look too spammish.
Just an idea from somebody who mostly ignored this thread (so ignore
this mail if this idea was raised in the past):
What about if bugs can only be closed by mails from
the submitters address or by a developer signed mail / upload.
This should allow all people who are allowed to close the
bug to close it but leaves out spammers as well as people
who try to boykot the BTS.
Kind regards
Andreas.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Turbo Fredriksson 2004-03-14, 4:34 am |
| Quoting "Julian Mehnle" <lists@mehnle.net>:
> Thomas Viehmann wrote:
>
> Only DDs, the maintainer, and the reporter -- if his initial report was signed.
Or, as a precaution for SPAMs closing bugs - _ANY_ PGP/GPG signed mail!
I doubt that spammers will start PGP/GPG sign their spam... ever.
--
Semtex SDI radar AK-47 fissionable CIA tritium subway Ft. Meade
munitions killed cryptographic explosion Marxist DES
[See http://www.aclu.org/echelonwatch/index.html for more about this]
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Turbo Fredriksson 2004-03-14, 4:34 am |
| Quoting Andreas Barth <aba@not.so.argh.org>:
> * Julian Mehnle (lists@mehnle.net) [040313 13:10]:
>
>
> Come on. You're trying to fix a problem we don't really have. Please:
> If it is not broken, than don't fix it.
There IS a problem! I don't always GET the bug report in the first place,
so why shouldn't I miss the CLOSING(s) as well!?
> And: There are some non-DDs who do just great QA-work. You don't want
> to exclude them?
Noone said we would. And if we 'design' the closing in such a way that
we're excluding SPAMMERS, but noone there's no problem in changing the
BTS...
Either a 'Closes: ...' header/part of the body or ANY signed mail will
work to exclude spammers.
--
explosion SEAL Team 6 strategic cryptographic quiche SDI Qaddafi
Khaddafi South Africa NORAD killed Honduras bomb spy Panama
[See http://www.aclu.org/echelonwatch/index.html for more about this]
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Metzler 2004-03-14, 5:33 am |
| Julian Mehnle <lists@mehnle.net> wrote:
> Thomas Viehmann wrote:
[color=darkred]
[color=darkred]
[color=darkred]
> Of course the control messages would need to be signed by recognized
> keys. That was implicit in my suggestion, as the identity of a
> control message sender cannot sensibly be verified with confidence
> any other way. Apparently, that wasn't obvious enough for some
> readers.
[...]
You are missing Thomas' point. If you sign a mail message you only
sign the body of the message (neither Subject nor To nor Date), so
nothing is keeping me from taking *this* <40534D87.3040106@beamnet.de>
message by Thomas and bouncing it to nnnnnnn-done@bugs.debian.org. -
It still has a verifyable signature by a DD.
Therefore your proposal of simply requiring signing by a DD is
security-wise just as (in)effictive as requiring every message that is
changing a bug's status (-done/control) must contain: "X-BTS: Really
no spam".
There are two ways to fix your proposal:
* Use non-standard signatures that verify the header, too. (They are
used in usenet but no[1] mail-client supports them.
* Abolish nnnnnnn-done@bugs.debian.org or require a magic
keyword/header to make it effective
The former is undoable, the latter would fix the perceived problem
(spam changing a bug's status) without the additional need for
pgp-signing.
cu andreas
[1] Except Gnus I assume. ;-)
--
NMUs aren't an insult, they're not an attack, and they're
not something to avoid or be ashamed of.
Anthony Towns in 2004-02 on debian-devel
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-14, 7:35 am |
| Andreas Metzler wrote:
> Julian Mehnle <lists@mehnle.net> wrote:
>
> [...]
> There are two ways to fix your proposal:
> * Use non-standard signatures that verify the header, too. (They are
> used in usenet but no[1] mail-client supports them.
> * Abolish nnnnnnn-done@bugs.debian.org or require a magic
> keyword/header to make it effective
The latter was also implicit in my suggestion -- of course, the
authoritative controlling aspect of a control message would need to be
signed. I absolutely agree that the mere arrival of a message with some
signed random body wouldn't be sufficient to actually induce any control
actions by the BTS.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Bartosz Fenski aka fEnIo 2004-03-14, 8:34 am |
| On Sat, Mar 13, 2004 at 05:47:28PM +0100, Andreas Barth wrote:
> I disagree. What if someone helping we with some of my packages is
> closing bugs because they're void? Would I need to sponsor the
> changing? That's ridicoulus.
I wonder how many packages/bugs were solved this way?
How often it occurs to you?
Every security improvements always imply some limitations.
regards
fEnIo
--
_ Bartosz Feński aka fEnIo | mailto:fenio@o2.pl | pgp:0x13fefc40
_|_|_ 32-050 Skawina - Głowackiego 3/15 - w. małopolskie - Polska
(0 0) phone:+48602383548 | ICQ:46704720 | GG:726362 | IRC:fEnIo
ooO--(_)--Ooo http://skawina.eu.org | JID:fenio@jabber.org | RLU:172001
| |
| Marco d'Itri 2004-03-14, 10:34 am |
| On Mar 14, Andreas Tille <tillea@rki.de> wrote:
> Just an idea from somebody who mostly ignored this thread (so ignore
> this mail if this idea was raised in the past):
> What about if bugs can only be closed by mails from
> the submitters address or by a developer signed mail / upload.
What about if instead of removing useful features from our procedures we
stop spam instead?
--
ciao, |
Marco | [5096 abSSR624SbD3k]
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Tille 2004-03-14, 11:35 am |
| On Sun, 14 Mar 2004, Marco d'Itri wrote:
> What about if instead of removing useful features from our procedures we
> stop spam instead?
Which is the useful feature which would be removed by my proposal above?
Kind regards
Andreas.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-14, 12:34 pm |
| Marco d'Itri wrote:
> What about if instead of removing useful features from our procedures
> we stop spam instead?=20
What about if instead of fixing security vulnerabilities we stop =
crackers instead?
Generally, I'm all for fighting causes instead of fighting symptoms. =
But while we certainly shouldn't stop fighting spam, we cannot deny its =
existence.
| |
| Mathieu Roy 2004-03-14, 6:34 pm |
| Wouter Verhelst <wouter@grep.be> wrote:
> On Sat, Mar 13, 2004 at 04:54:20PM +0100, Mathieu Roy wrote:
>
> I hope for your sake that your passphrase is not just a single-letter
> thingy.
I am not a fool. My passphrase is a _phrase_.
> If it is, thanks for providing me with some inside information to
> work on my web of trust; if it isn't, well, the most work in signing
> *anything* is exactly in typing the passphrase. My gpg passphrase is
> significantly longer than my 8-letter logon password; entering that
> when sending a mail is what I call "work", even with the 60-second
> timeout mutt gives me when signing a mail (since usually, it takes
> me more than that time to prepare the mail.
How long do you need to type "I hope for your sake that your
passphrase is not just a single-letter thingy"?
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i.../flawed-english |
+---------------------------------------------------------------------+
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Mathieu Roy 2004-03-14, 6:34 pm |
| Florian Weimer <fw@deneb.enyo.de> wrote:
> Mathieu Roy wrote:
>
>
> I suppose this is a feature. This way, you can fix some issues
> (duplicates, non-bugs) even though you aren't a developer.
It is possible to check the origin of a request without restricting
requests to DD. Why not?
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i.../flawed-english |
+---------------------------------------------------------------------+
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Blars Blarson 2004-03-14, 8:33 pm |
| In article <87vfl7rflf.fsf@papadoc.bayour.com> turbo@debian.org writes:
>Or, as a precaution for SPAMs closing bugs - _ANY_ PGP/GPG signed mail!
>
>I doubt that spammers will start PGP/GPG sign their spam... ever.
Some spammers already do fake pgp signatures hoping to score as
non-spam on spam-scoring systems. If checking for real sigatures (as
opposed to just looking like a signed message) becomes popular, I'm
sure spammers will start creating throw-away keys.
--
Blars Blarson blarson@blars.org
http://www.blars.org/blars.html
With Microsoft, failure is not an option. It is a standard feature.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Wouter Verhelst 2004-03-15, 4:34 am |
| On Sun, Mar 14, 2004 at 07:15:44PM +0100, Mathieu Roy wrote:
> Wouter Verhelst <wouter@grep.be> wrote:
>
>
> I am not a fool. My passphrase is a _phrase_.
Good :-)
>
> How long do you need to type "I hope for your sake that your
> passphrase is not just a single-letter thingy"?
Not long, but the two aren't really alike. Entering a passphrase easily
becomes a burden; if you have to do it a lot of times in sequence, it's
a pain.
Speaking from experience as the previous maintainer of the Linux Gazette
packages here (uploading a new version of lg-issue*, with minor changes,
took over two hours, which is one of the reasons I gave up maintenance
of those packages).
--
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
-- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
| |
| Frank Küster 2004-03-15, 5:34 am |
| Mathieu Roy <yeupou@gnu.org> wrote:
>
> How long do you need to type "I hope for your sake that your
> passphrase is not just a single-letter thingy"?=20
In this case, it's rather fast, since flyspell can highlight the
errors. In my passphrase, it couldn't, even it was displayed as
plaintext.=20
Regards, Frank
--=20
Frank K=FCster, Biozentrum der Univ. Basel
Abt. Biophysikalische Chemie
| |
| Frank Küster 2004-03-15, 5:34 am |
| Andreas Metzler <ametzler@downhill.at.eu.org> wrote:
> Mathieu Roy <yeupou@gnu.org> wrote:
>
You don't maintain a package with many open bugreports, lucky you, if
you believe it "already happened" to _one_ bug...
[color=darkred]
> So the
>
> Not the importance but the extent, and I claim that one bug being
> closed by spam is no problem.
Especially given that the bug[1] was against a package with a list of
maintainers - I am rather astonished that it wasn't reopened multiple
times.=20
If a package maintainer doesn't notice that the status (closing, tags,
upstream, whatever) of his or her bugs has been changed by spam, he/she
should really consider orphaning the package.
Regards, Frank
[1] if I remember the number correctly, and it wasn't two bugs this
weekend=20
--=20
Frank K=FCster, Biozentrum der Univ. Basel
Abt. Biophysikalische Chemie
| |
| Florian Weimer 2004-03-15, 10:36 am |
| Wouter Verhelst wrote:
> On Sat, Mar 13, 2004 at 11:50:03AM +0100, Mathieu Roy wrote:
>
> So, you would like to see our mailservers DoSed because they need to
> throw CPU power at anything that vaguely resembles a PGP signature?
All SMTP servers are an easy DoS target because of the large command
timeouts.
--
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com,
libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz,
tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Florian Weimer 2004-03-15, 10:36 am |
| Mathieu Roy wrote:
[color=darkred]
> It is possible to check the origin of a request without restricting
> requests to DD. Why not?
I think it's much easier to implement some form of restriction which
doesn't depend on the bug metadata.
But I'm not familiar with the BTS, so I won't demand any changes because
I cannot estimate the work that is involved.
--
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com,
libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz,
tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Wouter Verhelst 2004-03-15, 10:36 am |
| On Mon, Mar 15, 2004 at 03:44:00PM +0100, Florian Weimer wrote:
> Wouter Verhelst wrote:
>
> All SMTP servers are an easy DoS target because of the large command
> timeouts.
That's a reason to make the situation worse?
--
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
-- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
| |
| Florian Weimer 2004-03-15, 10:36 am |
| Wouter Verhelst wrote:
> On Mon, Mar 15, 2004 at 03:44:00PM +0100, Florian Weimer wrote:
>
> That's a reason to make the situation worse?
I just wanted to put things into perspective. If there's a real benefit
if signatures are verified and it's implementable with the available
resources, then go for it. I don't think the DoS risk is a showstopper.
--
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com,
libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz,
tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Wouter Verhelst 2004-03-15, 11:34 am |
| On Mon, Mar 15, 2004 at 04:13:44PM +0100, Florian Weimer wrote:
> Wouter Verhelst wrote:
>
> I just wanted to put things into perspective. If there's a real benefit
> if signatures are verified and it's implementable with the available
> resources, then go for it. I don't think the DoS risk is a showstopper.
I think it is. It's trivial to create a mail message that vaguely looks
like a PGP-signed message, and send out spam that way. There's no way to
check whether a message has a valid PGP signature except for running gpg
or pgp, which is much more CPU-intensive than adding a random text that
has the look of a PGP signature. Implementing this is equal to creating
a *very* easy DoS attack vector.
--
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
-- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
| |
| Florian Weimer 2004-03-15, 11:34 am |
| Wouter Verhelst wrote:
>
> I think it is. It's trivial to create a mail message that vaguely looks
> like a PGP-signed message, and send out spam that way. There's no way to
> check whether a message has a valid PGP signature except for running gpg
> or pgp, which is much more CPU-intensive than adding a random text that
> has the look of a PGP signature. Implementing this is equal to creating
> a *very* easy DoS attack vector.
It's also very easy to write a PERL script that can DoS almost any SMTP
server on this planet.
Most potential DoS attacks just don't happen, and those that do happen
have a pretty clear motive. Why should anyone want to DoS the BTS by
sending invalid mail messages? It wouldn't stop the web server, so
it's not something to brag with among your peers because it's hardly
visible to the outside.
It's far more likely that some lunatic manipulates bug metadata
or adds offensive messages or reports to the BTS.
--
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, freenet.de, hotmail.com,
libero.it, netscape.net, postino.it, tiscali.co.uk, tiscali.cz,
tiscali.it, voila.fr, wanadoo.fr, yahoo.com.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Tille 2004-03-15, 2:35 pm |
| On Mon, 15 Mar 2004, Florian Weimer wrote:
[color=darkred]
But in how far is restricting the ability to close a bug to DDs a
restriction to the current usage. Bugs will (normally) be closed by
uploading fixed packages. This can only be done by DDs. Moreover
a bug van be closed by the submitter - because he recognized that
it was no real bug. Tell me a reasonable (not only theoretical) case
where it is important that anybody else closes a bug.
Kind regards
Andreas.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Enrico Zini 2004-03-15, 2:35 pm |
| On Mon, Mar 15, 2004 at 07:13:38PM +0100, Andreas Tille wrote:
> But in how far is restricting the ability to close a bug to DDs a
> restriction to the current usage. Bugs will (normally) be closed by
> uploading fixed packages. This can only be done by DDs. Moreover
> a bug van be closed by the submitter - because he recognized that
> it was no real bug. Tell me a reasonable (not only theoretical) case
> where it is important that anybody else closes a bug.
Package A has a bug that's caused by a bug in library B. Library B gets
a new upload before the bug is reassigned. A user of package A could
notice that and close the bug leveraging the work of the busy or
vacationed maintainer of A (although retitling as a request of versioned
depend would be better). In general, users can be the best to discover
that a bug is not so anymore.
People doing random scans of the BTS archive could do investigation and
discover that an old bug, maybe dealing with changing environmental
issues, is not valid anymore, and thus close them.
Has someone proposed a challenge message to confirm the closing of a
bug, like it happens already with subscribing to mailing lists?
Ciao,
Enrico
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Thomas Viehmann 2004-03-15, 2:35 pm |
| Andreas Tille wrote:
[color=darkred]
> But in how far is restricting the ability to close a bug to DDs a
> restriction to the current usage. Bugs will (normally) be closed by
> uploading fixed packages. This can only be done by DDs. Moreover
> a bug van be closed by the submitter - because he recognized that
> it was no real bug. Tell me a reasonable (not only theoretical) case
> where it is important that anybody else closes a bug.
I did and I hope continue to be able to. OK?
For example I did with bugs that weren't.
For example I did with bugs that were fixed but not closed by changelog.
I do not wish to bug someone about signing every single mail to BTS.
Is it that hard?
If you do abolish the ability of non-DDs to operate on the bug system,
you start ruining the recruitment process.
If you have become a developer before doing something useful with the
BTS, maybe I should start a thread "The DAM creates accounts way too fast".
Regards
Thomas
P.S.: This mail would have been less harsh if you hadn't entered this
thread with an "I've been ignoring everything you said, here's my
brilliant idea" type mail that basically restated the original starting
message of the thread. That's funny only iff it's on Dilbert (and I'm
more uncertain about if than only if).
--
Thomas Viehmann, <http://beamnet.de/tv/>
| |
| Hamish Moffatt 2004-03-15, 5:35 pm |
| On Sat, Mar 13, 2004 at 12:18:58PM -0600, Chad Walstrom wrote:
> On Sat, Mar 13, 2004 at 10:58:21AM +0100, Isaac Clerencia wrote:
>
> Perhaps it's time for cookie auto-replies for emails to BTS.
Good idea. How about checking a GPG signature if present, else send an
auto-reply asking for confirmation? katie et al should also be able to
close bugs without confirmation.
Hamish
--
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Barth 2004-03-15, 5:35 pm |
| * Hamish Moffatt (hamish@debian.org) [040315 22:55]:
> On Sat, Mar 13, 2004 at 12:18:58PM -0600, Chad Walstrom wrote:
[color=darkred]
> Good idea. How about checking a GPG signature if present, else send an
> auto-reply asking for confirmation? katie et al should also be able to
> close bugs without confirmation.
Sorry, but this is also broken. It just makes too much work for the
DDs. Better get tougher crossassassin support, and take maintainers
etc into a whitelist.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Julian Mehnle 2004-03-15, 6:34 pm |
| Thomas Viehmann wrote:
> I do not wish to bug someone about signing every single mail to BTS. =
Is
> it that hard?=20
You wouldn't have to. Is it that hard?
> If you do abolish the ability of non-DDs to operate on the bug system,
> you start ruining the recruitment process.
Definitely not. You don't need to be a DD to be a package maintainer or =
co-maintainer. And you certainly don't need to be a DD to open a new =
bug report, and -- as its reporter -- be able to close it again.
| |
| Josip Rodin 2004-03-15, 6:34 pm |
| On Mon, Mar 15, 2004 at 11:06:03PM +0100, Andreas Barth wrote:
> Better get tougher crossassassin support
Um. Get crossassassin _at all_, I still haven't had time to integrate it
into debbugs spamscan...
--
2. That which causes joy or happiness.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Tille 2004-03-16, 3:34 am |
| On Mon, 15 Mar 2004, Enrico Zini wrote:
> Package A has a bug that's caused by a bug in library B. Library B gets
> a new upload before the bug is reassigned. A user of package A could
> notice that and close the bug leveraging the work of the busy or
> vacationed maintainer of A (although retitling as a request of versioned
> depend would be better). In general, users can be the best to discover
> that a bug is not so anymore.
Sure - they should foreward this information to the BTS and perhaps they
could tag it "fixed". But they should not *close* the bug.
> People doing random scans of the BTS archive could do investigation and
> discover that an old bug, maybe dealing with changing environmental
> issues, is not valid anymore, and thus close them.
IHMO, closing a bug should be done by the maintainer or the QA team in
case of MIA maintainers but not by random users.
Kind regards
Andreas.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andreas Tille 2004-03-16, 3:34 am |
| On Mon, 15 Mar 2004, Thomas Viehmann wrote:
> I did and I hope continue to be able to. OK?
Sorry - this is not really OK, IMHO.
> For example I did with bugs that weren't.
I'd love to see the package maintainer to decide whether a bug is a bug or not.
> For example I did with bugs that were fixed but not closed by changelog.
This is nice of you but I do not really want to spend our users time for
fixing problems of lazy maintainers.
> I do not wish to bug someone about signing every single mail to BTS.
We do not talk about *every* mail but only <bug-nr>-done mails.
> If you do abolish the ability of non-DDs to operate on the bug system,
> you start ruining the recruitment process.
> If you have become a developer before doing something useful with the
> BTS, maybe I should start a thread "The DAM creates accounts way too fast".
Well, the BTS has more useful applications than closing bugs and thus you
are free to do a plenty of stuff with it. You could even close those bugs
you might have opened by yourself. ;-)
> P.S.: This mail would have been less harsh if you hadn't entered this
> thread with an "I've been ignoring everything you said, here's my
> brilliant idea" type mail that basically restated the original starting
> message of the thread. That's funny only iff it's on Dilbert (and I'm
> more uncertain about if than only if).
You mal was not really harsh and I just introduced my first mail with
this sentence because a short browsing of the history gave no hint on
signed close-procedure which seams to be reasonable to me. If I would
have overlooked a similiar suggestion I would have tried to use my
sentence as excuse. ;-)
Kind regards
Andreas.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Adam McKenna 2004-03-16, 2:35 pm |
| On Sat, Mar 13, 2004 at 02:35:28PM -0500, Clint Adams wrote:
>
> No, the problem is that someone wants to change this behavior.
What the XXXX? Why does being a DD or a bug submitter mean that you must be
continually bombarded with spam, because Debian fails to take the least of
precautions or spam prevention for fear of inconveniencing a few people?
I'm getting so much spam through my debian account that I'm already
considering closing it down. We must now tolerate spammers closing bugs?
There are a lot of large projects, including the mozilla project, that
require addresses to be registered with a password just to submit a bug.
This is the model we should be moving toward. The current situation is
totally unacceptable.
--Adam
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| John Hasler 2004-03-16, 2:35 pm |
| Adam writes:
> There are a lot of large projects, including the mozilla project, that
> require addresses to be registered with a password just to submit a bug.
That's excessive. A pseudoheader and possibly a confirmation message to
previously unknown addresses should suffice.
--
John Hasler
john@dhh.gt.org
Dancing Horse Hill
Elmwood, Wisconsin
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Adam McKenna 2004-03-16, 6:38 pm |
| On Mon, Mar 15, 2004 at 04:34:01PM +0100, Wouter Verhelst wrote:
> I think it is. It's trivial to create a mail message that vaguely looks
> like a PGP-signed message, and send out spam that way. There's no way to
> check whether a message has a valid PGP signature except for running gpg
> or pgp, which is much more CPU-intensive than adding a random text that
> has the look of a PGP signature. Implementing this is equal to creating
> a *very* easy DoS attack vector.
Please stop with the FUD. This argument is laughable.
--Adam
--
Adam McKenna <adam@debian.org> <adam@flounder.net>
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Thomas Viehmann 2004-03-16, 6:38 pm |
| Andreas Tille wrote:
[...]
> I'd love to see the package maintainer to decide whether a bug is a bug or not.
[...]
> This is nice of you but I do not really want to spend our users time for
> fixing problems of lazy maintainers.
^^^^^^^^^^^^^^^^
What are you talking about?
Has Debian Maintainer Territioriality been expanded to the point where
you have to complain about me helping out on someone elses package?
> We do not talk about *every* mail but only <bug-nr>-done mails.
That's too many.
> Well, the BTS has more useful applications than closing bugs and thus you
> are free to do a plenty of stuff with it. You could even close those bugs
> you might have opened by yourself. ;-)
Yeah, or I might just quit caring.
There is no reason not to continue with letting people close bugs.
Handling bugs from new to patch or done is a good way to help out busy
people and should not be artificially restricted.
Even if you want to avoid spam closing bugs, a pseudo-header solution
would be much less intrusive.
> You mal was not really harsh and I just introduced my first mail with
> this sentence because a short browsing of the history gave no hint on
> signed close-procedure which seams to be reasonable to me. If I would
> have overlooked a similiar suggestion I would have tried to use my
> sentence as excuse. ;-)
Well, I'm glad if you're not offended. I do believe that your suggestion
if very similar to Julian Mehnles and all arguments offered against his
suggestion are valid. That's why I followed your instructions and
ignored the first mail, but was not pleased by the "Tell me a reasonable
(not only theoretical) case where it is important that anybody else
closes a bug." I believe that I have seen them.
Cheers
T.
--
Thomas Viehmann, <http://beamnet.de/tv/>
| |
| Paul Hampson 2004-03-17, 9:42 am |
| On Tue, Mar 16, 2004 at 10:28:22AM -0800, Adam McKenna wrote:
> On Sat, Mar 13, 2004 at 02:35:28PM -0500, Clint Adams wrote:
[color=darkred]
[color=darkred]
> What the XXXX? Why does being a DD or a bug submitter mean that you mustbe
> continually bombarded with spam, because Debian fails to take the least of
> precautions or spam prevention for fear of inconveniencing a few people?
What about your own spam precautions? Debian _does_ take the least of
spam precautions. From memory, we have spamassassin against debbugs,
although as mentioned earlier, not crossassassin... yet.
> I'm getting so much spam through my debian account that I'm already
> considering closing it down. We must now tolerate spammers closing bugs?
We don't tolerate it, we put up with it as a neccessary evil to allow
free and easy access to the BTS. (For specific values of 'we' obviously)
> There are a lot of large projects, including the mozilla project, that
> require addresses to be registered with a password just to submit a bug.
> This is the model we should be moving toward. The current situation is
> totally unacceptable.
And I'm sure they miss out on bugs (mine, for example) where the finder
doesn't feel the need for _another_ username/password combo just to
submit a single bug.
For larger projects such as Mozilla, they can afford to lose those bugs,
someone else will find 'em. For source-forge hosted projects, one
user/pass covers many many projects, and is useful to have.
For Debian, it strikes me as a pain to have a user/password BTS
system, or anything that will prevent me running reportbug from
whatever random Debian machine I happen to have hit the bug from.
A pseudo-header to match the email address for controlling bugs,
I guess that's acceptable to me. (I usually use control@b.d.o
anyway) However, for _submitting_ bugs, a missing Packages:
header will bring SPAM to the eyes of the debbugs maintainers
quickly anyway, I expect.
Why make it _hard_ to report bugs?
--
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
6th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson@Anu.edu.au
"No survivors? Then where do the stories come from I wonder?"
-- C | | |