← Back to team overview

launchpad-dev team mailing list archive

Re: Launchpad mailing lists and users' needs.

 

2009/8/8 Karl Fogel <karl.fogel@xxxxxxxxxxxxx>:
> I thought I'd forward some interesting questions about our bug tracker's
> email interface.  Background: I proposed on the Emacs Devel mailing list
> that Emacs consider using Launchpad for bug tracking.  My original post
> is here:
>
>  http://lists.gnu.org/archive/html/emacs-devel/2009-08/msg00204.html
>
> Michael Albinus immediately followed up asking about APIs, and I
> answered him (you can find that exchange in the thread if you want).
> Then Stefan Monnier, one of the project leaders, followed up with some
> very interesting questions:
>
>  http://lists.gnu.org/archive/html/emacs-devel/2009-08/msg00241.html
>
> We don't have good answers for some of his questions.  About ease of
> use, for example: our tracker only accepts mails from addresses
> registered with Launchpad.  The documentation also claims that the mails
> have to be GPG-signed (https://help.launchpad.net/Bugs/EmailInterface),
> though I'm not so sure about that -- I'm pretty sure I've manipulated
> the bug tracker just fine without GGP-signing any mails.

Those are interesting questions.

Unless it's changed recently you can comment on bugs but not change
their state using unsigned email.  I have a bug open asking that we
should also try to validate the mail using DomainKeys, which would not
require specific intervention from the end user.  We could also look
at SPF.  GPG is a pretty heavy hammer to detect forged mail.

Arguably there should be finer granularity on access.  For instance
you might not let people open private bugs by untrusted mail, but
personally I would trust it to change the status or summary on the
theory that these are easily restored and boring to abuse.

I do think particularly for Answers but maybe in general it would be
good to let people start interacting with the project without a
blocking or explicit "create an account" phase.  We could still
implicitly create an account, and possibly even send mail to say so,
but it would not need to be done before accepting their information.
But there's some nontrivial work to do this.

There is some tradeoff here against spam, which Glenn raises as an issue.

Someone should reply to the rest of them.

-- 
Martin <http://launchpad.net/~mbp/>



Follow ups

References