Package: lists.debian.org
Severity: important
We seem to be having a recurring problem of people who want off
debian-security-announce
unintentionally bothering debian-security about it, or trying to unsubscribe to
the latter
list and then finding it doesn't do what they want. Then they feel helpless
and start
spewing messages in all directions, because feeling unable to shut off an
unpredictable
stimulus that repeatedly yanks one's attention has a way of jamming spikes into
one's
psyche. This also means people who want to be on debian-security get these
messages
flung at them as a side effect.
I think it would be more reasonable to set the Reply-To address for d-s-a posts
to a
robot that responds with a canned message to the effect of "if you wish to
discuss this
further, subscribe to debian-security and post anew there; if you wish to
unsubscribe,
you should be asking debian-security-announce-request; if you actually meant to
send
this to your colleagues at the NOC, you can ignore this message but you might
want
to be more careful in the future". Bonus points if it recognizes the second
case
and automatically does the first step of the process, so that a reply to the
first
canned message does the unsubscribe-confirmation step.
By this, I mean that if this address is being set by the senders of such
messages,
the policy should be changed; if it is being set by the mailing list software,
it should be reconfigured; and if it is being set by the senders because the
mail
may be replicated in multiple places, the mailing list software should be
configured
to munge the header on d-s-a only. If there is some other process going on,
extrapolate
accordingly.
The expanded form of this:
1. The Reply-To address for messages on debian-security-announce generally
points
to debian-security. This is unusual; why is this done in the first place?
The
obvious reason is "so that people who wish to discuss DSAs further can do
so on
debian-security conveniently", but if that's the only reason, I think the
side
effects are intolerable by comparison.
1a. People who are potentially knowledgeable also don't readily recognize
this,
often treat the situation as the usual "asking _on the list from which
one
wishes to be unsubscribed_" situation, and then provide the _wrong_
-request
address while trying to help the hapless users who just don't want their
mailbox flooded with stuff which is now irrelevant to them. If this
then
starts showing up in Web searches and misleads the next user who tries
to
unsubscribe and maybe does a little more research first, so much the
worse!
2. I _assume_ what's happening is users are pressured to subscribe to d-s-a
when
they start using Debian, because of important announcements. These people
are
_not_ necessarily even aware of the idea of getting involved in the
interactive
mailing list culture of Debian, and certainly are unlikely to read the
codes of
conduct for the lists first. They later stop using Debian, or decide that
they
will handle security announcements some other way (possibly a bad way, but
that's
a separate problem), but now they can't figure out how to stop receiving
all this
mail.
2a. Importantly: these people may not be used to using mailing lists of the
more
usual "free-software world" type _at all_! Nor is it realistic to
expect
them to handle the cognitive load of remembering such things between a
one-off
event and a distant point in time.
2b. Note that the pressure to subscribe to d-s-a may come from other
well-meaning
individuals providing tutorials or such, so there's no way to get all
of them.
3. Posts to d-s-a have no human-readable subscription-manipulation information
in
the body, so there's no reminder of what to do that actually shows up at
the time.
It would sure be nice if _everyone's_ clients respected List-Unsubscribe
headers
(and if they knew how to request this function in their client!) but
obviously
this isn't consistently true; see (2a).
3a. This, in combination with (1), passively encourages users to violate
the "If
you send messages to lists to which you are not subscribed, always note
that
fact in the body of the message" policy in the Debian lists code of
conduct,
because it makes it very easy to forget; normally, sending to lists to
which
one is not subscribed has much more of a conscious barrier to it. This
is
true even for users who are notionally aware of the situation.
4. debian-security (like most Debian lists) isn't filtering messages from
unsubscribed
individuals, which isn't inherently bad, but amplifies the rest of this
quite badly
because it means unrelated individuals who _do_ want to engage
interactively take
splash noise.
4a. Whatever filter is supposed to be keeping administrivia from hitting the
list in general obviously isn't working; "machine learning is hard"
aside,
I repeatedly see messages with the subject or first line literally being
"unsubscribe" in its entirety. In any event, this wouldn't help with
everything,
because inattentive replies in general (which are coming from a
psychological
context of not being in "interactive mailing list mode") and
unsuitably-configured
out-of-office autoresponders are also problems, and all of these seem
to come
from the same disconnect between action and effect caused by the weird
Reply-To
configuration.
Thus my suggestion at the top.
Aside from any of that, I'd volunteer to play docent to the users affected by
this
if I had the energy over time, but I really don't. If there's a one-off action
I
can do to help, it would be nice to know what it is in case I can manage it
somehow.
Can we please get this to stop?
---> Drake Wilson
