[GRASS-dev] [bug #5504] (grass)

Request Tracker wrote:

this bug's URL: http://intevation.de/rt/webrt? serial_num=5504
---------------------------------------------------------------------
----

Subject:

-------------------------------------------- Managed by Request
Tracker

It's time to stop allowing -new bugs- to be submitted -by email- to the
old bug tracker.

Hamish

Hamish wrote:

It's time to stop allowing -new bugs- to be submitted -by email- to the
old bug tracker.

Several days ago I have already asked Bernhard if that's doable but he
still didn't get a reply from those who he asked :).

Hi Bernhard,

This is annoying-me again. Can you let us know what is the status? Thanks!

Maciek

On Wednesday 28 February 2007 20:03, Maciej Sieczka wrote:

Hamish wrote:
> It's time to stop allowing -new bugs- to be submitted -by email- to the
> old bug tracker.

Several days ago I have already asked Bernhard if that's doable but he
still didn't get a reply from those who he asked :).

This is annoying-me again. Can you let us know what is the status? Thanks!

Maciej,

we switched this off on Tuesday and one of Intevation's admin
has send an email to you on this day.
Registered users with manipulation rights can still open issues,
which I think is okay. We probably cannot change this anyway.
So there is a remote chance that spammers hit the right address.

Best,
Bernhard
--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Bernhard Reiter wrote:

On Wednesday 28 February 2007 20:03, Maciej Sieczka wrote:

This is annoying-me again. Can you let us know what is the status? Thanks!

we switched this off on Tuesday and one of Intevation's admin
has send an email to you on this day.

I didn't receive that email. I don't use a spam filter. It must have
get lost in between somewhere.

Registered users with manipulation rights can still open issues,
which I think is okay.

Perfect, thanks.

We probably cannot change this anyway.

No need to.

So there is a remote chance that spammers hit the right address.

Could you explain how exactly?

Maciek

On Thursday 01 March 2007 17:36, Maciej Sieczka wrote:

Bernhard Reiter wrote:
> On Wednesday 28 February 2007 20:03, Maciej Sieczka wrote:

> we switched this off on Tuesday and one of Intevation's admin
> has send an email to you on this day.

I didn't receive that email. I don't use a spam filter. It must have
get lost in between somewhere.

> Registered users with manipulation rights can still open issues,
> which I think is okay.

Perfect, thanks.

> We probably cannot change this anyway.

No need to.

> So there is a remote chance that spammers hit the right address.
Could you explain how exactly?

I suspect that if they use a forged from address from somebody that is a
registered user, they can still send something to the tracker. I did not
checked if this is a real attack vector. The chances for this a quite low
compared to other spam hits, so I do not think we should spend much energy on
it.

Best,
Bernhard

--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Bernhard Reiter wrote:

On Thursday 01 March 2007 17:36, Maciej Sieczka wrote:
> Bernhard Reiter wrote:
> > On Wednesday 28 February 2007 20:03, Maciej Sieczka wrote:

> > we switched this off on Tuesday and one of Intevation's admin
> > has send an email to you on this day.
>
> I didn't receive that email. I don't use a spam filter. It must have
> get lost in between somewhere.
>
> > Registered users with manipulation rights can still open issues,
> > which I think is okay.
>
> Perfect, thanks.
>
> > We probably cannot change this anyway.
>
> No need to.
>
> > So there is a remote chance that spammers hit the right address.
> Could you explain how exactly?

I suspect that if they use a forged from address from somebody that is
a registered user, they can still send something to the tracker. I
did not checked if this is a real attack vector. The chances for this
a quite low compared to other spam hits, so I do not think we should
spend much energy on it.

I'm not worried about it. It isn't worth their time.

I notice that guests can not post comments on the web interface now,
which means that only folks registed in the bug tracker can (ie devels).
Not so good as regular bug reporters or freelancers without a login
can no longer contribute to an old but still open bug report.

?,
Hamish

On Sunday 04 March 2007 01:53, Hamish wrote:

I notice that guests can not post comments on the web interface now,
which means that only folks registed in the bug tracker can (ie devels).
Not so good as regular bug reporters or freelancers without a login
can no longer contribute to an old but still open bug report.

This seems to be the drawback switching off the rights for anonymous.
Note that webspamming also happens.
I have a quick glance on it to see if we can change this for the better.
Otherwise I suggest we just stay with the current solution and have
guest comment on the mailing lists where the spam protection is better.

Bernhard

--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner