← Back to team overview

launchpad-dev team mailing list archive

Re: Fwd: [Fwd: Quickly and Launchpad]

 

So what classes of attack exist here?

Social/trojan:
They might get the user to run code they shouldn't, which then sets up
an SSH/CoC/GPG/changes their email [but we already have a handshake on
email changes], and then with the access the SSH/GPG/PPA gives them do
something bad (like push garbage into a branch).

Mail multiplication? I don't think so, the only person able to trigger
a 'new ssh' email is the user themselves, unless their credentials
have been leaked already.

Mail to other people? Not through this API - the 'setup a new email
address' API would definitely permit that - but not permit controlling
the content in the mail (I hope ? !)

-Rob



References