ppkarwasz opened a new issue, #946: URL: https://github.com/apache/tooling-trusted-releases/issues/946
Currently the vote counting algorithm matches all instances of `+1` and `-1` in the text. This can create a false positive, like in the case of the [Log4j 2.25.4 vote](https://lists.apache.org/thread/fpzfgo42ovhrx0vyts238c905cpw4pd4), where the algorithm matched the `+1` in the vote e-mail: ``` votes are officially counted. At least 3 +1 votes and more ``` I think we could be more strict for `+1` and `-1` votes and ask voters to put them at the **beginning** of a line: https://github.com/apache/tooling-trusted-releases/blob/9a11abb5e95c54b09f330bcc2e4e525102e4de34/atr/tabulate.py#L272-L275 **Note**: we have been successfully trusting voting by e-mail for years and I don't think there has been ever an incident, where someone spoofed a vote. However, I think it would be more prudent to at least verify the origin of the vote e-mail, by answering the voter with a link to validate the vote. What do you think? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
