develooper Front page | perl.perl5.porters | Postings from July 2019

Re: Transition from RT to GitHub [FAQ]

Thread Previous | Thread Next
From:
Deven T. Corzine
Date:
July 12, 2019 17:35
Subject:
Re: Transition from RT to GitHub [FAQ]
Message ID:
CAFVdu0Rb8xhk_+OKr_hEaocZdqmyyU8QWEp21y2RmxTNK2jKsw@mail.gmail.com
On Thu, Jul 11, 2019 at 7:00 AM Nicholas Clark <nick@ccl4.org> wrote:

> On Tue, Jul 09, 2019 at 01:45:28AM +0300, Sawyer X wrote:
>
> > The problem with anonymous ticket submission is that it inevitably
> > becomes a spam target. You can of course get rid of much of the bad
> > traffic with filtering. However you are still left with processes that
> > are fragile and/or overly dependent on humans.
>
> Technically you can still "anonymously" submit bug reports (or without an
> account), because you can still mail them direct to the list. It just won't
> get into the issue tracker that way :-/
>

I can imagine a solution which primarily uses GitHub, while preserving the
ability to submit anonymous bug reports:

1. Email sent to <perlbug@perl.org> is handled by an auto-responder, as
planned.
2. The auto-responder sends a response containing GitHub instructions and a
separate section explaining how to submit the bug without using GitHub --
while encouraging everyone to use GitHub as a strong preference.
3. In this separate section, include two email addresses using plus-syntax
to incorporate a hash (e.g. SHA1) in the email address (
perlbug+hashvalue@perl.org) -- one based on a hash of the sender's email
address (envelope sender?  From?  Reply-To?  All of these?), and the other
based on a hash of the Subject line of the bug report, or perhaps a key
string generated by the "perlbug" script which is in the body of the
email.  The sender-based address could be used (and reused) by someone who
is philosophically opposed to making a GitHub account, but doesn't care
about anonymity, and the other address could be used for true anonymous
submissions.
4. The bug reporter would need to reply/resend/forward the bug report to
either of these plus-syntax addresses.
5. When the auto-responder receives an email using the plus-syntax, it can
verify the hash and send the bug report to a GitHub gateway to create the
issue automatically, or send the normal auto-response if the hash isn't
valid.
6. For convenience, the "perlbug" script could generate the hash and send
the bug report to the correct plus-syntax address, but spammers could then
abuse the script.

This process alone would probably defeat most spammers, since they usually
send spam from undeliverable or innocent addresses, so there's a good
chance spam wouldn't become a problem in the first place.  If it does,
there are a number of hurdles that could be added to discourage spammers --
some of which would discourage the bug reporter as well:

Possible additional hurdles that come to mind offhand:

* Manual moderation is an option, of course, but not an appealing one.  It
might be okay if the automated system catches 99.99% of spam attempts.  It
would probably help if senders who pass manual moderation once are
automatically added to a whitelist by default.
* Rather than including the plus-syntax email addresses in the reply
directly, provide only the hash values with English prose describing how to
create the plus-syntax email address from those hash values.
* Require an authentication key of some sort generated by the "perlbug"
script, which could be required in the Subject line and/or body of the
email.  This could involve a hash like the plus-syntax addresses, using
some "secret" key as a salt.  Obviously, this could be reverse-engineered
from the script, but how many spammers would even try?
* Don't mention the plus-syntax addresses in the auto-response at all, and
have it documented elsewhere, with instructions for generating the correct
hash using Perl.  However, this would tend to discourage bug reporters as
well as spammers.
* Require PGP/GPG-signed messages for bug reports via email.  This would
again discourage bug reporters as well as spammers.

I'm not sure how much need there is for anonymous submissions though.
Personally, I'll be happy to use my GitHub account to submit issues, but
obviously there are some people who are opposed to using GitHub.

Deven

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About