bug_email.pl and bugzilla_append_email.pl
bugreport at peshkin.net
Sun Feb 15 16:01:05 UTC 2004
Gervase Markham wrote:
> David Miller wrote:
>> A bunch of the stuff on the debbugs feature list for email commands
>> really convenient to the developers, but potentially really
>> convenient to
>> spammers, too (like being able to email a reporter directly by
>> mailing the
>> bug with -submitter tacked on the end of the bug address). We'll
>> need to
>> discuss if that's feasible or if there's ways we can protect it from
> You could make this address only work for people who have accounts,
For most sites, that would be a first step. The next interesting
question is how to prevent it from being spoofed. While some
environments might want to use PGP, others may want to trust the Sender,
permit each user to have a list of valid SMTP servers, put a "secret" in
the message, or send confirm emails to the user.
The valid SMTP server approach might be similar to the "spf" mechanism
for an account, except we could add valid servers to a user's list by
simply generating a confirm message to a user whenever they seem to be
using an unregistered server. It would certainly work for users who
come from either their own servers or from corporate servers. I don't
know what to do about people who use mail servers belonging to large ISPs.
Note that this problem is only really difficult on initial bug reports.
Once the initial report is done, updates are simple. We can use either
the reply-to address or the subject line to code in a token like the
following examples for bug 23456 with a token of "w9k7Q". If bugmail
goes out with
Subject: [bug 23456, w9k7Q]
reply to:<bug23456=w9k7Q at buzilla.mozilla.org>
Then, a user needs more information than just the bug number to comment
or attach, but just has to reply to the bugmail to do so.
Depending on paranioa, the token could be just a hash of existing
information or could be some token generated and kept in a table.
personally, I think that a token that is a simple hash of the user's
crypted password and the bug number would be just fine.
We could really use a good idea here.... anyone?
More information about the developers