From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:403:4789::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id mJ1DO6eOAWUVXgAAG6o9tA:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 13 Sep 2023 12:27:52 +0200
Received: from aspmx1.migadu.com ([2001:41d0:403:4789::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id mJ1DO6eOAWUVXgAAG6o9tA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 13 Sep 2023 12:27:52 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4E14944B81
	for <larch@yhetil.org>; Wed, 13 Sep 2023 12:27:51 +0200 (CEST)
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1694600871;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=WASc+m1uiTcaPqqrFk8k6zsgoFwYtizpi280yS1gu+g=;
	b=gKQxVD55YX/gBxay90TF6+zLOdcbB0g+mIVYzxchl7XbgRqxrNP712mesPI8Zyv4b2f+8S
	0+bJ0EKzfgpBkL68N0CPYOAxRVnyfspf1IkUNhFPZHvLyHkkl2FlSHgwMEGQErV2a7HN2g
	i3wUB+oE93tEXk3TIV4N5hFuuzglE2vZA+DhdDXEAI249pv+A4+r4hy0/IRRWBwz8eeQ/Y
	HTu+dQTY8XGnKYZ9Dh4kAq2xTnrnTGvAPcY3xgDmouTRGxblIOU+FbAhiS3eeZ7KwkSj3D
	ivz6voQZJugWvmnasVCjK2cXf0vwvs8dy6b4xtntL8sz9/FcBTN5d3NM/U19Ww==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694600871; a=rsa-sha256; cv=none;
	b=kVa2bwzB6lkwpWB+s1/HUDaObVaPkCUY++EuxLAYmR9zgg1FHShRtB0h55Tkfmcv3vb/rA
	FByQ6ZRX4kVZ4DfiULrmMTaCia0fg6/Raol7gEmS/AIZXzdn0clMqhlxxbUEU7STsHtuxs
	QBo9nT3rgiD1tXpAnrn8YRoYJAy9pf1IMVhxnv5x8nxDKpp/x6CVJBD8h/kcM8gcQwhrwS
	VQU5ANBb0xtORLVhKYuH3ITa06SIHot3wcwMjqwjR4axBOwVvIPq4Vk++AqBrdg3d79NZw
	l0yMJJtTDPbrjVKwHnDuzI5EXawsKYeKjHhip+t0SZsJ95EkxWRVlWkOWMxRKQ==
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1qgN5S-0006EV-89; Wed, 13 Sep 2023 06:27:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <g@xelera.eu>) id 1qgN5P-0006EF-Ol
 for guix-devel@gnu.org; Wed, 13 Sep 2023 06:27:07 -0400
Received: from ns13.heimat.it ([46.4.214.66])
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <g@xelera.eu>) id 1qgN5N-0004U3-5k
 for guix-devel@gnu.org; Wed, 13 Sep 2023 06:27:07 -0400
Received: from localhost (ip6-localhost [127.0.0.1])
 by ns13.heimat.it (Postfix) with ESMTP id A9B6430098D;
 Wed, 13 Sep 2023 10:27:02 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it
Received: from ns13.heimat.it ([127.0.0.1])
 by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ztQrKyYhrL8X; Wed, 13 Sep 2023 10:27:00 +0000 (UTC)
Received: from bourrache.mug.xelera.it (unknown [93.56.171.217])
 (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by ns13.heimat.it (Postfix) with ESMTPSA id 50B6E300981;
 Wed, 13 Sep 2023 10:27:00 +0000 (UTC)
Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14])
 by bourrache.mug.xelera.it (Postfix) with SMTP id D50BB29BAB3E;
 Wed, 13 Sep 2023 12:26:59 +0200 (CEST)
Received: (nullmailer pid 28921 invoked by uid 1000);
 Wed, 13 Sep 2023 10:26:59 -0000
From: Giovanni Biscuolo <g@xelera.eu>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: Arun Isaac <arunisaac@systemreboot.net>, guix-devel@gnu.org
Subject: Commenting bug reports via mumi web interface (was: How can we
 decrease the cognitive overhead for contributors?)
In-Reply-To: <875y4e313a.fsf@elephly.net>
Organization: Xelera.eu
References: <878r9llhj8.fsf@systemreboot.net> <87fs3snbwo.fsf@xelera.eu>
 <87bkec620e.fsf@elephly.net> <87il8fbfvl.fsf@xelera.eu>
 <875y4e313a.fsf@elephly.net>
Date: Wed, 13 Sep 2023 12:26:58 +0200
Message-ID: <875y4ebc7h.fsf@xelera.eu>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu;
 helo=ns13.heimat.it
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Scanner: mx1.migadu.com
X-Migadu-Spam-Score: -3.51
X-Spam-Score: -3.51
X-Migadu-Queue-Id: 4E14944B81
X-TUID: eZnYo3G7BcOT

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Ricardo,

Ricardo Wurmus <rekado@elephly.net> writes:

> Giovanni Biscuolo <g@xelera.eu> writes:
>
>> AFAIU mumi does not (still?) have ad authentication/authorization,
>> right?
>>
>> If so how do you plan to deal with users posting SPAM or similar
>> unappropriate content?
>
> It only sends email on behalf of commenters, so we=E2=80=99re using the s=
ame
> email mechanism to deal with spam.

Please forgive me if I'm not reading the source code for the relevant
mumi function, it would be easier for me to see it in action to
understand how the comment feature works.

I mean: I guess commenters are anonymous (?) and the mumi server will
send the email via authenticated SMTP (I hope) as user "mumi server" (or
something similar) on behalf of the commenter, right?

If so, the email is sent with the SPF and DKIM headers of the mumi
server configured mail server and that information is not useful to
eventually catch commenter email spoofing.

If I'm not missing something, then, anyone could send a comment as
"g@xelera.eu" containing unappropriate content, right?

I know that the GNU mailing lists mail server surely have an antispam
service, but it cannot use DMARC (SPF and/or DKIM) to filter email
spoofing attempts and all it can do is to assign a "spamminess" score to
messages, that seldom is able to effectively spot "unappropriate"
content, right?

Given all this, does this mean that anyone could send an offensive
comment as "g@xelera.eu" using the mumi commentig form?

...or are all the mailing lists moderated?

I feel I really miss something important in this picture, sorry for not
understanding what!

As an /antipattern/ example of a bug reporting system using a web
interface also for comments, I point out the one used by git-annex
(ikiwiki): https://git-annex.branchable.com/bugs/

When you try to "Add a comment", e.g. in:
https://git-annex.branchable.com/bugs/fsck_does_not_detect_corruption_on_yt=
_vids/

You are presented an authentication form supporting 3 auth methods:
registered user, email [1] and OpenID.

I still think that they sould just allow me to send an email to report
and comment bugs.


Thanks! Gio'


[1] The server sends you an unique URL you can use to log in and expires
in one day... why not just send me (forward) the complete message I want
to comment with the right Reply-to field pre-compiled, so I can edit my
comment with my lovely MUA instead of that /awful/ web interface?!?

=2D-=20
Giovanni Biscuolo

Xelera IT Infrastructures

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmUBjnIMHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSTKQP/2O8QmLlHi7gcrHDuFMIKnsRw6NPyoFxwqCeZh+/
F+jqbjwoTulxTa/X9C/HfKZoMnAd68FTiCEOhLns28A90A6JJTqFI3KUWKsH1O3x
YMbGDYR2w0n1rCs/xX8lyrcDxqkcy9/+XTnh7O7le9ZBVd6xleN0D+LsYYfJWvtA
qjrNR2q8BbSxi+idb0uh5KPgTWZ1XPAVor6hh1Drg3tt8SkCfNrHpXV0xgkmpGYI
h+7zZMloQWISv9Ne9Abu4s/7MJFUdIJbwxQBRtcHWXw7KGZZ9dq+HDxAG56o1goy
Ni4DZ8odqwfXz/eEwFd8ry6I9wYZU+haC7m9GYjpf+9WHjQy4G4klGjLX5r7QDKR
ygijY0jTFUyYfs9jLk/otHRc6HuwAAWEQEzv+Ka4BCX1jnV2NEoTBuGXogVDCdbL
1wMs5JAevkHEDyxMtcl2tMdh1KPWeyMn1lpq4Ny2oOIYM4KwqDRKoNaZ8KIIFHb0
8J5Uc6xZ2BNA9fUDNWSIZ5FR7ijsIUCYNNF04/F3hV3HGD9ZJ/TrmOWGhm6xzn/n
W1PCHj3jnPiCgGx4X1FLSjic05FThtL7XI5pfsTVQUsveLQxhoDNxpQc3UlB5blz
IJ5m3iu3fQ+c/JqZxsWUK4daoMPmVZ1EIEN8w7VBZdcRVb2EH6E9PP6g/F+d1DBn
bqR1
=rkEB
-----END PGP SIGNATURE-----
--=-=-=--