From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id mJ1DO6eOAWUVXgAAG6o9tA:P1 (envelope-from ) for ; Wed, 13 Sep 2023 12:27:52 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id mJ1DO6eOAWUVXgAAG6o9tA (envelope-from ) for ; Wed, 13 Sep 2023 12:27:52 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4E14944B81 for ; Wed, 13 Sep 2023 12:27:51 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1694600871; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=WASc+m1uiTcaPqqrFk8k6zsgoFwYtizpi280yS1gu+g=; b=gKQxVD55YX/gBxay90TF6+zLOdcbB0g+mIVYzxchl7XbgRqxrNP712mesPI8Zyv4b2f+8S 0+bJ0EKzfgpBkL68N0CPYOAxRVnyfspf1IkUNhFPZHvLyHkkl2FlSHgwMEGQErV2a7HN2g i3wUB+oE93tEXk3TIV4N5hFuuzglE2vZA+DhdDXEAI249pv+A4+r4hy0/IRRWBwz8eeQ/Y HTu+dQTY8XGnKYZ9Dh4kAq2xTnrnTGvAPcY3xgDmouTRGxblIOU+FbAhiS3eeZ7KwkSj3D ivz6voQZJugWvmnasVCjK2cXf0vwvs8dy6b4xtntL8sz9/FcBTN5d3NM/U19Ww== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694600871; a=rsa-sha256; cv=none; b=kVa2bwzB6lkwpWB+s1/HUDaObVaPkCUY++EuxLAYmR9zgg1FHShRtB0h55Tkfmcv3vb/rA FByQ6ZRX4kVZ4DfiULrmMTaCia0fg6/Raol7gEmS/AIZXzdn0clMqhlxxbUEU7STsHtuxs QBo9nT3rgiD1tXpAnrn8YRoYJAy9pf1IMVhxnv5x8nxDKpp/x6CVJBD8h/kcM8gcQwhrwS VQU5ANBb0xtORLVhKYuH3ITa06SIHot3wcwMjqwjR4axBOwVvIPq4Vk++AqBrdg3d79NZw l0yMJJtTDPbrjVKwHnDuzI5EXawsKYeKjHhip+t0SZsJ95EkxWRVlWkOWMxRKQ== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgN5S-0006EV-89; Wed, 13 Sep 2023 06:27:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qgN5P-0006EF-Ol for guix-devel@gnu.org; Wed, 13 Sep 2023 06:27:07 -0400 Received: from ns13.heimat.it ([46.4.214.66]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qgN5N-0004U3-5k for guix-devel@gnu.org; Wed, 13 Sep 2023 06:27:07 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id A9B6430098D; Wed, 13 Sep 2023 10:27:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztQrKyYhrL8X; Wed, 13 Sep 2023 10:27:00 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 50B6E300981; Wed, 13 Sep 2023 10:27:00 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id D50BB29BAB3E; Wed, 13 Sep 2023 12:26:59 +0200 (CEST) Received: (nullmailer pid 28921 invoked by uid 1000); Wed, 13 Sep 2023 10:26:59 -0000 From: Giovanni Biscuolo To: Ricardo Wurmus Cc: Arun Isaac , guix-devel@gnu.org Subject: Commenting bug reports via mumi web interface (was: How can we decrease the cognitive overhead for contributors?) In-Reply-To: <875y4e313a.fsf@elephly.net> Organization: Xelera.eu References: <878r9llhj8.fsf@systemreboot.net> <87fs3snbwo.fsf@xelera.eu> <87bkec620e.fsf@elephly.net> <87il8fbfvl.fsf@xelera.eu> <875y4e313a.fsf@elephly.net> Date: Wed, 13 Sep 2023 12:26:58 +0200 Message-ID: <875y4ebc7h.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx1.migadu.com X-Migadu-Spam-Score: -3.51 X-Spam-Score: -3.51 X-Migadu-Queue-Id: 4E14944B81 X-TUID: eZnYo3G7BcOT --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ricardo, Ricardo Wurmus writes: > Giovanni Biscuolo writes: > >> AFAIU mumi does not (still?) have ad authentication/authorization, >> right? >> >> If so how do you plan to deal with users posting SPAM or similar >> unappropriate content? > > It only sends email on behalf of commenters, so we=E2=80=99re using the s= ame > email mechanism to deal with spam. Please forgive me if I'm not reading the source code for the relevant mumi function, it would be easier for me to see it in action to understand how the comment feature works. I mean: I guess commenters are anonymous (?) and the mumi server will send the email via authenticated SMTP (I hope) as user "mumi server" (or something similar) on behalf of the commenter, right? If so, the email is sent with the SPF and DKIM headers of the mumi server configured mail server and that information is not useful to eventually catch commenter email spoofing. If I'm not missing something, then, anyone could send a comment as "g@xelera.eu" containing unappropriate content, right? I know that the GNU mailing lists mail server surely have an antispam service, but it cannot use DMARC (SPF and/or DKIM) to filter email spoofing attempts and all it can do is to assign a "spamminess" score to messages, that seldom is able to effectively spot "unappropriate" content, right? Given all this, does this mean that anyone could send an offensive comment as "g@xelera.eu" using the mumi commentig form? ...or are all the mailing lists moderated? I feel I really miss something important in this picture, sorry for not understanding what! As an /antipattern/ example of a bug reporting system using a web interface also for comments, I point out the one used by git-annex (ikiwiki): https://git-annex.branchable.com/bugs/ When you try to "Add a comment", e.g. in: https://git-annex.branchable.com/bugs/fsck_does_not_detect_corruption_on_yt= _vids/ You are presented an authentication form supporting 3 auth methods: registered user, email [1] and OpenID. I still think that they sould just allow me to send an email to report and comment bugs. Thanks! Gio' [1] The server sends you an unique URL you can use to log in and expires in one day... why not just send me (forward) the complete message I want to comment with the right Reply-to field pre-compiled, so I can edit my comment with my lovely MUA instead of that /awful/ web interface?!? =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmUBjnIMHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSTKQP/2O8QmLlHi7gcrHDuFMIKnsRw6NPyoFxwqCeZh+/ F+jqbjwoTulxTa/X9C/HfKZoMnAd68FTiCEOhLns28A90A6JJTqFI3KUWKsH1O3x YMbGDYR2w0n1rCs/xX8lyrcDxqkcy9/+XTnh7O7le9ZBVd6xleN0D+LsYYfJWvtA qjrNR2q8BbSxi+idb0uh5KPgTWZ1XPAVor6hh1Drg3tt8SkCfNrHpXV0xgkmpGYI h+7zZMloQWISv9Ne9Abu4s/7MJFUdIJbwxQBRtcHWXw7KGZZ9dq+HDxAG56o1goy Ni4DZ8odqwfXz/eEwFd8ry6I9wYZU+haC7m9GYjpf+9WHjQy4G4klGjLX5r7QDKR ygijY0jTFUyYfs9jLk/otHRc6HuwAAWEQEzv+Ka4BCX1jnV2NEoTBuGXogVDCdbL 1wMs5JAevkHEDyxMtcl2tMdh1KPWeyMn1lpq4Ny2oOIYM4KwqDRKoNaZ8KIIFHb0 8J5Uc6xZ2BNA9fUDNWSIZ5FR7ijsIUCYNNF04/F3hV3HGD9ZJ/TrmOWGhm6xzn/n W1PCHj3jnPiCgGx4X1FLSjic05FThtL7XI5pfsTVQUsveLQxhoDNxpQc3UlB5blz IJ5m3iu3fQ+c/JqZxsWUK4daoMPmVZ1EIEN8w7VBZdcRVb2EH6E9PP6g/F+d1DBn bqR1 =rkEB -----END PGP SIGNATURE----- --=-=-=--