savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[sr #110907] reply-to emails which are comments on bugs

From: Ineiev
Subject: [sr #110907] reply-to emails which are comments on bugs
Date: Thu, 17 Aug 2023 13:15:16 -0400 (EDT) 
Follow-up Comment #5, sr #110907 (project administration):

TLDR: this looks too complicated to me.

> Often, but the from address is often secured (some newfangled authorised
mail-submission-agent system with DNS, I think) and you can check the security
of the email path in those cases, so if the user has nominated a from address
for a so-secured mail-exchange then you're alright in that case.

I'm not aware of this protocol; at any rate, I believe such things should
cover all users, not part of them.

> I suggested the user might nominate an email signature certificate which
can't be impersonated much more than the website login.

They might, but would it really be more convenient for them?

> Even outside those cases, this is limited to commenting so you can clean up
once you realise that a user has been impersonated

So far, we have neither means to clean up nor the need for it; to say nothing
of the work on detecting the impersonations.

> and change the salts as often as you like. On the occasions that a salt has
been changed before a user replies you can send out a new address for them to
resend their reply to so you can even change the salt very often.

If I change the salt very often, the user won't be able to use it,
and I can't see how it could protect against the interception.

> If you allow this case then you can indicate that the comment has no or
little identity verification so people don't act as if such a comment was an
authority.

I don't think it's a good idea to make our users learn another tracker-related
concept; trackers are already more than sufficiently complicated.

> Alternatively or in-addition, on occasion a user could log in and validate
the identity of comments sent by email and you could make that easy by sending
a digest with a validation link either before or after the emails are spooled
into comments.

If the user has to log in anyway, the usefulness of emails will be very
limited.

> It would still be more practical to converse on development topics than
interrupting a user workflow with website visits and the website login process
injected between thoughts.

It's possible to do that, the emails just don't land in the tracker.


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/support/?110907>

_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]