| Bruce Sass 2006-11-02, 1:25 am |
| On Wed November 1 2006 16:20, Javier Fern=E1ndez-Sanguino Pe=F1a wrote:
> When I have suggested that (sending signed messages to the BTS to be
> accepted for processing) it was
>
> a) for mails to -close or to control@b.d.o to prevent a
> spammer/malicious person from closing all the bugs or mangling with
> the BTS in such a way that would take us some effort to recover
>
> b) restricted to providing a signed mail, not necessarily with a
> signature in the DD keyring. (this could be added later on to prevent
> abuse, if needed be and could still have a 'whitelist' of valid keys
> which could include non-DDs)
>
> If there's a non-DD playing with the BTS (closing bugs or using
> control@) I guess it's not really too much to ask for them to use
> signed e-mails when fiddling with it. Is it?
I don't think so. Although, it is weaker than a pseudoheader since it=20
would be easier for spammers to sign their messages than look up the=20
package name associated with a particular bug number, and less effort=20
than keeping a whitelist. Furthermore, it would be clear that a spammer=20
was targeting Debian if they did the name<->number look up... which=20
would make it easier to make a case that they are intentionally=20
interfering with Debian's systems.
Keep in mind that my original response was to your post which stated:
"...implemented so as to only consider GPG/PGP signed mail from DDs..."
=2D Bruce
|