[FreeBSD-Announce] FreeBSD bug tracking moves from GNATS to Bugzilla

Tue Jun 3 15:55:06 UTC 2014

> On Jun 3, 2014, at 8:23 AM, Michelle Sullivan <michelle at sorbs.net> wrote:
> 
> Alfred Perlstein wrote:
>> 
>>> On 6/3/14, 5:16 AM, David Chisnall wrote:
>>>> On 3 Jun 2014, at 13:09, Vitaly Magerya <vmagerya at gmail.com> wrote:
>>>> 
>>>> It doesn't seem to be possible to post comments (or bugs) without
>>>> creating an account and logging in.
>>> That is correct.  The current leaning is towards not providing such
>>> functionality as:
>>> 
>>> - It makes spamming easy
>>> 
>>> - If someone can't be bothered to make an account, they are unlikely
>>> to provide the feedback required to correctly diagnose the bug.
>>> 
>>> I don't know that this decision is final, but it's certainly unlikely
>>> to be high up the priority list to implement it.  For FreeBSD 11,
>>> we'd like to have an HTTP-based send-pr replacement, which will not
>>> be able to enforce a valid email address, but which will at least
>>> request one.  Although, again, we'll have to be careful to prevent it
>>> from being used as a spam tool (send a pr claiming to be from a
>>> different email address with a spam message and that person gets
>>> notified) and so it will likely add the bug to a private queue where
>>> it can be checked for spam before appearing in the main db. 
>>> Volunteers to be spam filters welcome...
>> I think a bunch of this can be solved by using oauth or something like
>> it.  aka: login via github or facebook/twitter.
> 
> I for one would be highly opposed to it (facebook/twitter etc login) ...
> 3-4 years ago I went through 7 facebook accounts because of a vindictive
> little psycho kept reporting all my posts and accounts as abusive
> specifically to cause Facebook to delete my account...  This then
> blocked the email address and telephone number from being used elsewhere
> and I lost several associated accounts as a result - including paid for
> services.  I will never use such again, even a court order didn't get
> the (original) account reinstated or compensated.
> 
> As for spamming, there are solutions - some make it more difficult than
> creating an account and logging in.  That said I've had my fair share of
> spam through (verified email) logins... there is no easy solution, only
> less painful ones. :/
> 
> A tool that resides in the base OS for sending bug reports would be a
> good idea - even better if the tool reports basic OS parameters (uname
> -a, and an OS unique token) and the connecting IP (as seen by the
> receiving server) so that spammers cannot abuse it or be easily blocked.
> 
> Just my $0.02
> 
> Michelle
> (from SORBS)
> 
> -- 
> Michelle Sullivan
> http://www.mhix.org/
> 

All of those parameters can easily be faked. Not sure how that would help. 

I still think using a form of oauth might help. 

Other options are email registration that results in an API key that those command line apps can use. That API key can be revoked by the bugzilla admins if needed.  