Hi Ricardo, Ricardo Wurmus writes: > Giovanni Biscuolo writes: > >> AFAIU mumi does not (still?) have ad authentication/authorization, >> right? >> >> If so how do you plan to deal with users posting SPAM or similar >> unappropriate content? > > It only sends email on behalf of commenters, so we’re using the same > email mechanism to deal with spam. Please forgive me if I'm not reading the source code for the relevant mumi function, it would be easier for me to see it in action to understand how the comment feature works. I mean: I guess commenters are anonymous (?) and the mumi server will send the email via authenticated SMTP (I hope) as user "mumi server" (or something similar) on behalf of the commenter, right? If so, the email is sent with the SPF and DKIM headers of the mumi server configured mail server and that information is not useful to eventually catch commenter email spoofing. If I'm not missing something, then, anyone could send a comment as "g@xelera.eu" containing unappropriate content, right? I know that the GNU mailing lists mail server surely have an antispam service, but it cannot use DMARC (SPF and/or DKIM) to filter email spoofing attempts and all it can do is to assign a "spamminess" score to messages, that seldom is able to effectively spot "unappropriate" content, right? Given all this, does this mean that anyone could send an offensive comment as "g@xelera.eu" using the mumi commentig form? ...or are all the mailing lists moderated? I feel I really miss something important in this picture, sorry for not understanding what! As an /antipattern/ example of a bug reporting system using a web interface also for comments, I point out the one used by git-annex (ikiwiki): https://git-annex.branchable.com/bugs/ When you try to "Add a comment", e.g. in: https://git-annex.branchable.com/bugs/fsck_does_not_detect_corruption_on_yt_vids/ You are presented an authentication form supporting 3 auth methods: registered user, email [1] and OpenID. I still think that they sould just allow me to send an email to report and comment bugs. Thanks! Gio' [1] The server sends you an unique URL you can use to log in and expires in one day... why not just send me (forward) the complete message I want to comment with the right Reply-to field pre-compiled, so I can edit my comment with my lovely MUA instead of that /awful/ web interface?!? -- Giovanni Biscuolo Xelera IT Infrastructures