launchpad-dev team mailing list archive

[Martin Pool <mbp@xxxxxxxxxxxxx>]

2009/8/11 Karl Fogel <karl.fogel@xxxxxxxxxxxxx>:
> Martin Pool <mbp@xxxxxxxxxxxxx> writes:
>> Someone should reply to the rest of them.
>
> I responded to the questions there, and closed off the thread.  It's
> clear that getting Emacs to use the Launchpad bug tracker would require
> a lot of effort.  It's not worth weeks of anyone's time, which is what
> it would take (based on the thread).
>
> It did raise some interesting points about how we could do spam
> filtering less obtrusively.  For example, instead of requiring a
> pre-registered email address and/or GPG-signing, why not just require
> that emails to the bug tracker contain a magic string, in the form of a
> command, e.g., " launchpad-tracker human"?  That would allow anyone to
> file bugs by email, but still make spammers vanishingly unlikely (since
> they'd have to read the documentation to know how to send a successful
> mail).

It's a 'smartest bears' problem

 http://www.schneier.com/blog/archives/2006/08/security_is_a_t.html

In my opinion and in rough order of priority:

 * Add a pervasive 'flag for review'
 * Check things like DomainKeys and treat them as trusted mail, or
perhaps nearly-as-trusted as gpg
 * When someone wants to ask a question (or maybe file a bug) have a
guided implicit account creation - just ask for their address and
later confirm it, but let them do the interaction first.
 * When someone first interacts with Launchpad from a previously
unknown address, reply by mail to ask if they really sent mail, and if
they do implicitly create an account and confirm that address - a bit
like Mailman does.  You would also need to handle people accidentally
creating a second account that way so it's a bit complicated.

I don't think the last is very important.

-- 
Martin <http://launchpad.net/~mbp/>