Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On 2015-01-24 02:00:34 +, Ben Hutchings wrote: On Wed, 2015-01-21 at 17:07 +1300, Chris Bannister wrote: Or an option in reportbug to do so, turned on by default. It could put an X- header in the email. That way users of reportbug can choose to be 'spammed' or not. This is still unconfirmed opt-in https://en.wikipedia.org/wiki/Opt-in_email#Unconfirmed_opt-in. Well, when reporting a bug, the user always receives a mail from the BTS. This mail could also be used as a confirmation message for this and future bug reports: if the user replies, he will automatically be subscribed to all bugs he reports. The next bug reports may be forged, but the user would have done the confirmation step, so couldn't complain. Or better, the reply to the confirmation message could contain a private key that could be used by reportbug to insert a X- header identifying the author of the next bug reports. -- Vincent Lefèvre vinc...@vinc17.net - Web: https://www.vinc17.net/ 100% accessible validated (X)HTML - Blog: https://www.vinc17.net/blog/ Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150128121428.ga8...@xvii.vinc17.org
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Wed, 28 Jan 2015, Vincent Lefevre wrote: On 2015-01-24 02:00:34 +, Ben Hutchings wrote: On Wed, 2015-01-21 at 17:07 +1300, Chris Bannister wrote: Or an option in reportbug to do so, turned on by default. It could put an X- header in the email. That way users of reportbug can choose to be 'spammed' or not. This is still unconfirmed opt-in https://en.wikipedia.org/wiki/Opt-in_email#Unconfirmed_opt-in. Well, when reporting a bug, the user always receives a mail from the BTS. This mail could also be used as a confirmation message for this and future bug reports: if the user replies, he will automatically be subscribed to all bugs he reports. The next bug reports may be forged, but the user would have done the confirmation step, so couldn't complain. Or better, the reply to the confirmation message could contain a private key that could be used by reportbug to insert a X- header identifying the author of the next bug reports. Something along these lines is what I'm planning on doing. -- Don Armstrong http://www.donarmstrong.com Taxes are not levied for the benefit of the taxed. -- Robert Heinlein _Time Enough For Love_ p250 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150128180834.gk31...@teltox.donarmstrong.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Wed, 2015-01-21 at 17:07 +1300, Chris Bannister wrote: On Mon, Jan 19, 2015 at 01:03:52AM +, Ben Hutchings wrote: On Mon, 2015-01-19 at 08:37 +0800, Paul Wise wrote: On Mon, Jan 19, 2015 at 8:06 AM, Don Armstrong wrote: I'm going to put together a bit more firm of a proposal in the next few weeks, but I think that basically everything but nnn-done@ and nnn-submitter@ should be no different from mailing nnn@, and until I allow submitters to opt out of e-mail, mailing nnn-submitter@ should be no different from e-mailing nnn@ either. I'd very much appreciate the ability to not be auto-subscribed to every bug so please do implement the opt-out thing, preferably before this change is rolled out. Personally, I think subscriptions should work like this: The default should be to auto-subscribe submitters and contributors to bugs. [...] No, this would turn the BTS into a (worse) spam vector. If a user submits a bug report then doesn't it make sense that the user would want to be able to be kept informed of any progress updates? Yes, but we don't know whether to believe that address. Or an option in reportbug to do so, turned on by default. It could put an X- header in the email. That way users of reportbug can choose to be 'spammed' or not. This is still unconfirmed opt-in https://en.wikipedia.org/wiki/Opt-in_email#Unconfirmed_opt-in. Ben. -- Ben Hutchings Larkinson's Law: All laws are basically false. signature.asc Description: This is a digitally signed message part
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On 2015-01-22 12:41:05 +1000, Russell Stuart wrote: On Wed, 2015-01-21 at 21:10 -0500, Michael Gilbert wrote: So anyway, nn-subscribe can be used to spam confirmation messages currently, and general mail to the bts from an unknown address will end up doing the same, but it's basically a non-issue because it's a rather uninteresting thing to do for anyone that might consider wanting to do it. I don't know how interesting it would be on an absolute scale, it certainly would be more interesting than it is now if we remove the authentication we have. The reason is all that happens now is you get one unwanted email and that is the end of it. A spammer can send several nn-subscribe messages. -- Vincent Lefèvre vinc...@vinc17.net - Web: https://www.vinc17.net/ 100% accessible validated (X)HTML - Blog: https://www.vinc17.net/blog/ Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150122142006.gb25...@ypig.lip.ens-lyon.fr
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Wed, Jan 21, 2015 at 9:41 PM, Russell Stuart wrote: The reason is all that happens now is you get one unwanted email and that is the end of it. In particular the attacker can't force you do to something to prevent the bugs.debian.org from sending further unwanted emails. If you get rid of authentication then the victim, be it you, or your mother, or your local police constable, will have to tell the Debian bugs system to unsubscribe them from a list they never subscribed to in the first place. Why do you insist that eliminating confirmation is part of the discussion? I'm not sure why this discussion is necessary at all. Don has said that he's working on the problem, maybe let's just get out of his way? Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=MM9sJ=wQu2EWGxwV=HRJRpVvyCV=w4qzv4bunfj-nt...@mail.gmail.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 7:32 PM, Russell Stuart wrote: In other words the current system contains robust defences against such an attack. All I (and I presume Ben) are saying is removing those defences is not a good idea, given it's easy enough to design a system that keeps them. Currently most of the auto subscription proposals appearing here do remove them. My statement was more in reference to Don's prior discussion on this topic. A while ago (not in this thread) he mentioned the possibility of requiring the confirmation step only for the first mail to the bts from a previously unknown address. So anyway, nn-subscribe can be used to spam confirmation messages currently, and general mail to the bts from an unknown address will end up doing the same, but it's basically a non-issue because it's a rather uninteresting thing to do for anyone that might consider wanting to do it. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=mp-z3bwhexyxvtmq1fnqqdt6l-8grrrfexhq_wx2ym...@mail.gmail.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Wed, 2015-01-21 at 21:10 -0500, Michael Gilbert wrote: So anyway, nn-subscribe can be used to spam confirmation messages currently, and general mail to the bts from an unknown address will end up doing the same, but it's basically a non-issue because it's a rather uninteresting thing to do for anyone that might consider wanting to do it. I don't know how interesting it would be on an absolute scale, it certainly would be more interesting than it is now if we remove the authentication we have. The reason is all that happens now is you get one unwanted email and that is the end of it. In particular the attacker can't force you do to something to prevent the bugs.debian.org from sending further unwanted emails. If you get rid of authentication then the victim, be it you, or your mother, or your local police constable, will have to tell the Debian bugs system to unsubscribe them from a list they never subscribed to in the first place. Perhaps you can suggest a way of explaining the situation to our mothers or local law enforcement agents so they don't end up blaming the Debian bugs system for putting them in this predicament. I struggling to come up with something they would swallow once they learn we could have designed the system to avoid it, but chose not to because we found it convenient to inconvenience them. signature.asc Description: This is a digitally signed message part
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
Russell Stuart writes (Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]): 701234-subyes-8aba1368a9ac33362ea1f68c28446c15-65bf3bd3886fb8abfe59d40709c84...@bugs.debian.org I presume this invite address is unforgeable (because Ian Jackson's expertise is in crypto, and he said earlier he designed the system). Many people have contributed to debbugs over the years, and my own contributions are by now very much in the minority. This particular feature postdates my work on it (and I haven't reviewed the crypto). But the rest of what you say is right. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21694.23043.966049.474...@chiark.greenend.org.uk
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On 2015-01-18 16:06:32 -0800, Don Armstrong wrote: I'm going to put together a bit more firm of a proposal in the next few weeks, but I think that basically everything but nnn-done@ and nnn-submitter@ should be no different from mailing nnn@, and until I allow submitters to opt out of e-mail, mailing nnn-submitter@ should be no different from e-mailing nnn@ either. It would be great if the maintainer could *always* receive the mail when mailing to nnn@, and not just under obscure conditions. For instance, I've been told by some maintainers that if the bug is reassigned, the maintainer doesn't receive the mail! -- Vincent Lefèvre vinc...@vinc17.net - Web: https://www.vinc17.net/ 100% accessible validated (X)HTML - Blog: https://www.vinc17.net/blog/ Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150120160040.gb1...@ypig.lip.ens-lyon.fr
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On 20/01/15 16:00, Vincent Lefevre wrote: It would be great if the maintainer could *always* receive the mail when mailing to nnn@, and not just under obscure conditions. For instance, I've been told by some maintainers that if the bug is reassigned, the maintainer doesn't receive the mail! In this situation the maintainer is not unique. The maintainer of the package that previously had the bug does receive the mail, but the maintainer of the package that now has the bug doesn't. For instance suppose there's an apparent bug in hello that is actually a symptom of an underlying bug in libc6, and I send: To: 123...@bugs.debian.org Subject: Re: Bug #123456: hello: doesn't work Control: reassign 123456 libc6 This is not hello's fault because [reasons]. It's actually a bug in libc. The maintainer of hello gets my mail, and also the BTS' notification that #123456 has been reassigned. All good. The maintainer of libc6 only sees the BTS' notification that #123456 has been reassigned to them, but doesn't get my email that explains why this bug is now assigned to their package. (The current solution to this is a social convention to cc $new_pack...@packages.debian.org when reassigning to $NEW_PACKAGE.) S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54be9cf1.3010...@debian.org
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 01:03:52AM +, Ben Hutchings wrote: On Mon, 2015-01-19 at 08:37 +0800, Paul Wise wrote: On Mon, Jan 19, 2015 at 8:06 AM, Don Armstrong wrote: I'm going to put together a bit more firm of a proposal in the next few weeks, but I think that basically everything but nnn-done@ and nnn-submitter@ should be no different from mailing nnn@, and until I allow submitters to opt out of e-mail, mailing nnn-submitter@ should be no different from e-mailing nnn@ either. I'd very much appreciate the ability to not be auto-subscribed to every bug so please do implement the opt-out thing, preferably before this change is rolled out. Personally, I think subscriptions should work like this: The default should be to auto-subscribe submitters and contributors to bugs. [...] No, this would turn the BTS into a (worse) spam vector. If a user submits a bug report then doesn't it make sense that the user would want to be able to be kept informed of any progress updates? Or an option in reportbug to do so, turned on by default. It could put an X- header in the email. That way users of reportbug can choose to be 'spammed' or not. -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150121040736.GG31842@tal
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 11:31:20AM +, Wookey wrote: Am I right that the only way to expliticly mail the submitter and the maintainer is to look the submitter's mail up in the initial bugrep and just CC it, whilst replying to bugnum@b.d.o, which will automatically include the maintainer? (which feels like work the BTS could do for me, maybe even by default). Or should I mail both nnn@b.d.o _and_ nnn-submitter@b.d.o to get the desired effect? The latter. The forward to debian-bugs-dist is handled by the BTS so it will deduplicate the message. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy james...@debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150120005418.gi22...@freya.jamessan.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, 2015-01-19 at 16:57 -0500, Michael Gilbert wrote: Isn't the spam vector already wide open for nn-subscr...@bugs.debian.org, which isn't much (ab)used today? I fail to see how any of the discussed changes open an abuse vector that doesn't already exist. OK, so let me help you see. The vector you are pointing to doesn't exist. You can _not_ subscribe to a bug by sending email to -subscr...@bugs.debian.org. You subscribe to a bug by sending an email to an address that looks like this: 701234-subyes-8aba1368a9ac33362ea1f68c28446c15-65bf3bd3886fb8abfe59d40709c84...@bugs.debian.org I presume this invite address is unforgeable (because Ian Jackson's expertise is in crypto, and he said earlier he designed the system). Sending an email to -subscr...@bugs.debian.org just asks the system to send an invite containing such an address to someone. I'm not sure what email address gets the invite - it could be the envelope MAIL FROM, or the Reply-To, or the From. But really who doesn't matter. All the matters is the only a person controlling an email address is able to subscribe it to a bug, not some random noob. For what it's worth, the invitation contains full text of the subscription request, including all the RFC5322 headers. If it was someone doing something unpleasant it gives you some hope of tracking them down, or blocking them. In other words the current system contains robust defences against such an attack. All I (and I presume Ben) are saying is removing those defences is not a good idea, given it's easy enough to design a system that keeps them. Currently most of the auto subscription proposals appearing here do remove them. signature.asc Description: This is a digitally signed message part
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
Hi, Quoting Ben Hutchings (2015-01-19 02:03:52) On Mon, 2015-01-19 at 08:37 +0800, Paul Wise wrote: I'd very much appreciate the ability to not be auto-subscribed to every bug so please do implement the opt-out thing, preferably before this change is rolled out. Personally, I think subscriptions should work like this: The default should be to auto-subscribe submitters and contributors to bugs. [...] No, this would turn the BTS into a (worse) spam vector. how about the other way round then: - by default everything stays as it is and there is no auto subscription - by sending an email to the bts I can activate that I'm automatically subscribed to all bugs I submitted or contributed (maybe separately configurable) Would this not make both camps happy: those who would like to autosubscribe to the bugs they file or contribute to and those who rather want to individually subscribe to each bug report? cheers, josch signature.asc Description: signature
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 4:30 PM, Johannes Schauer wrote: how about the other way round then: - by default everything stays as it is and there is no auto subscription - by sending an email to the bts I can activate that I'm automatically subscribed to all bugs I submitted or contributed (maybe separately configurable) Would this not make both camps happy: those who would like to autosubscribe to the bugs they file or contribute to and those who rather want to individually subscribe to each bug report? I think that will just continue the current situation where people don't know that they have to be subscribed to get followups, as they are used to other bug trackers where both bug submission and even posting a comment will get you on the subscribe list by default. Maybe this: New submitters get the autosubscribe bit by default. People who have submitted before 2015 do not get the autosubscribe bit by default. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6hh0mctv-bx01durougu---gvuzmpfnjwwo7okrhan...@mail.gmail.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On 19/01/15 01:14, Paul Wise wrote: On Mon, Jan 19, 2015 at 5:03 PM, Tomas Pospisek wrote: But isn't subscribing participants natural? Posting to a bug report means participation and thus you'd get the follow-ups. Why would you post to a bug report if you aren't interested in what happens with it, how things proceed/evolve? It is only natural to people who are used to it happening on other bug trackers. People often file bugs for issues they discover in software they don't use or care about, getting followups to those isn't necessary. I can understand your point of view and I think also the why but isn't that position the exception from the rule? That is shouldn't the process be optimized for the common case and allow the exception? The problem is that there is no common case. The only generality I can think of is that people who have been around for a long time generally want the status quo and new people who are usually used to other bug trackers want to be subscribed by default. Hi. It is far better to get the surprise that you got subscribed and having to unsubscribe than to get the surprise that you did not get subscribed and missing real-time conversation. Also, automatic subscription would definitely lower the barrier for potential contributors, as it is expected to be subscribed; it also makes continued contribution require less effort. Experts that want to nitpick each case could have a flag available and their default could be changed by one or another way. Best regards. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54bd7a61.7040...@alvarezp.ods.org
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 4:41 AM, Russell Stuart wrote: But isn't subscribing participants natural? It may be natural, but IMO you are underestimating the spam vector problem. Debian's bug submission mechanism does not try to verify you control the email address you are submitting from. Most other bug tracking systems do such authentication, usually by requiring you to create an account. Since there is no verification it becomes trivial to sign someone up to 1000's of bugs using a script. Isn't the spam vector already wide open for nn-subscr...@bugs.debian.org, which isn't much (ab)used today? I fail to see how any of the discussed changes open an abuse vector that doesn't already exist. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=MO6gKhnJtrjKFiGWYm4vFpb-PjcrOTKJ4WM8-LQ0t=z...@mail.gmail.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On 2015-01-19 10:03, Eugene Zhukov wrote: Through my experience this is not the case - even the maintainer doesn't get mail about a bug. For example I'm listed as a maintainer of epubcheck package, No, you're not: Maintainer: Debian XML/SGML Group debian-xml-sgml-p...@lists.alioth.debian.org You're listed in the Uploaders field, which is approximately co-maintainers. Those indeed don't receive mail from the BTS. but I didn't receive any email about reported bug #773366. The maintainer received it just fine. See http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/2014-December/011832.html Regards, Adam -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/7f7bd0331167cbf2fa6cac147aba0...@mail.adsl.funky-badger.org
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
+++ Adam D. Barratt [2015-01-19 11:01 +]: On 2015-01-19 10:47, Mattia Rizzolo wrote: On Mon, Jan 19, 2015 at 09:26:41AM +, Wookey wrote: Can someone remind me what the current rules are (or where it's written down). I know it doesn't work the way I expect it ought to, but I forget/never-understood exactly how it does work. The package maintainer gets all the email releated to the bugs (including responses from control@b.d.o), unless the emails are sent to -quiet@b.d.o. That's incorrect. nnn-submitter doesn't get sent to the maintainer either, as covered earlier in this thread. There's a reference list on https://www.debian.org/Bugs/Developer#followup Ah yes, and that list has no option for 'maintainer and submitter' or 'everybody who replied to this bug' which both seem like things one would like to use. Also, so far as I can tell, neither of those are default cases either. I recall looking at that list for the 'maintainer and submitter' option, and being disappointed not to find one. Am I right that the only way to expliticly mail the submitter and the maintainer is to look the submitter's mail up in the initial bugrep and just CC it, whilst replying to bugnum@b.d.o, which will automatically include the maintainer? (which feels like work the BTS could do for me, maybe even by default). Or should I mail both nnn@b.d.o _and_ nnn-submitter@b.d.o to get the desired effect? Doesn't that result in two mails to debian-bugs-dist, which seems wrong/unhelpful? I can see that the system goes to a lot of trouble to make sure people don't get mail they didn't want, but it seems to make it hard to ensure thast everyone _does_ get responses. Perhaps I am failing to understand how to use it, but in that case I claim that it's not very obvious. I think Stefano accurately described how I think it should work. Wookey -- Principal hats: Linaro, Debian, Wookware, ARM http://wookware.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150119113120.ge4...@stoneboat.aleph1.co.uk
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
Firstly, I should say: I'm sorry that I got the design of this wrong when I set up the BTS. I hadn't appreciated at the time that bug reports are actually (amongst other things) ad-hoc mailing lists. Paul Wise writes (Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]): Personally, I think subscriptions should work like this: The default should be to auto-subscribe submitters and contributors to bugs. Yes for submitters. No for contributors; that wouldn't be very opt-in. Instead, contributors should get an auto-subscribe confirmation request email when they first email a particular bug. Every email address can have an auto-subscribe value associated with it to override that. This would be nice but is IMO not essential. Thanks, Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21693.8751.967879.605...@chiark.greenend.org.uk
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 05:14:18PM +0800, Paul Wise wrote: People often file bugs for issues they discover in software they don't use or care about, getting followups to those isn't necessary. Uh? What's your rationale for this, and in particular for the often part? Surely the typical use case for a bug report is I use this software - this feature doesn't work - I submit a bug report? That is the use case we should optimize for, because taking the risk of leaving out the original bug submitter from conversations around that bug increase friction in the bug fixing process, in turn reducing the quality of our distro. The main use cases of someone reporting a bug against software they don't use is quality-assurance activities. Which is clearly a very important activity, but we should not optimize for it. I've done my share of QA work in Debian, including mass bug filing, but my gut feeling is that still, 90% of the bugs I've reported to Debian throughout all my life are against software that I use and care about. (Clearly, we should not make the QA use case needlessly painful. Hence I'm all for the opt-out mechanism you and Don discussed in another part of the thread. But I'm convinced that we should optimize for the other use case.) Cheers. -- Stefano Zacchiroli . . . . . . . z...@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club » signature.asc Description: Digital signature
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, January 19, 2015 10:14, Paul Wise wrote: On Mon, Jan 19, 2015 at 5:03 PM, Tomas Pospisek wrote: But isn't subscribing participants natural? Posting to a bug report means participation and thus you'd get the follow-ups. Why would you post to a bug report if you aren't interested in what happens with it, how things proceed/evolve? It is only natural to people who are used to it happening on other bug trackers. The only seems to suggest this is a minority. I would however argue that the majority of other bug tracking systems do subscribe you to bugs you interact with. It makes sense to me that you do not need intimate knowledge of the Debian BTS to contribute, rather, it should by default behave as people with only prior experience in other environments would expect it to. People often file bugs for issues they discover in software they don't use or care about, getting followups to those isn't necessary. While this use case exists, this is again surely a minority and in general people will file bugs because they ran into them or otherwise have an interest. The defaults should match this; the power users can always investigate how to best opt out. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/c0c487d45d5c224726070a5eb27e7878.squir...@aphrodite.kinkhorst.nl
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
+++ Paul Wise [2015-01-19 17:14 +0800]: On Mon, Jan 19, 2015 at 5:03 PM, Tomas Pospisek wrote: I can understand your point of view and I think also the why but isn't that position the exception from the rule? That is shouldn't the process be optimized for the common case and allow the exception? The problem is that there is no common case. The only generality I can think of is that people who have been around for a long time generally want the status quo and new people who are usually used to other bug trackers want to be subscribed by default. I want to be subscribed to bugs I submit (by default). It annoys me that this doesn't happen and I miss replies or updates. Occaisionally I submit bugs I'm not actually very interested in, but that's not the usual case. Can someone remind me what the current rules are (or where it's written down). I know it doesn't work the way I expect it ought to, but I forget/never-understood exactly how it does work. Do maintainers always get the initial mail to a bug, but not the rest, unless they subscribe? That seems rather unhelpful if so (as illustrated by Mr Capper's frustration at the start of this thread) Wookey -- Principal hats: Linaro, Debian, Wookware, ARM http://wookware.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150119092640.gc4...@stoneboat.aleph1.co.uk
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 09:26:41AM +, Wookey wrote: Can someone remind me what the current rules are (or where it's written down). I know it doesn't work the way I expect it ought to, but I forget/never-understood exactly how it does work. Do maintainers always get the initial mail to a bug, but not the rest, unless they subscribe? That seems rather unhelpful if so (as illustrated by Mr Capper's frustration at the start of this thread) The package maintainer gets all the email releated to the bugs (including responses from control@b.d.o), unless the emails are sent to -quiet@b.d.o. If other people want to receive such emails (e.g. comaintainers) they should subscribe through the PTS (or the tracker, with its nice UI and the big Subscribe bottom in the top-right edge) at the relevant keywords: - bts: for normal discussion emails - bts-control: for control@b.d.o replies -- regards, Mattia Rizzolo GPG Key: 4096R/B9444540 http://goo.gl/I8TMB more about me: http://mapreri.org Launchpad User: https://launchpad.net/~mapreri Ubuntu Wiki page: https://wiki.ubuntu.com/MattiaRizzolo signature.asc Description: Digital signature
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 5:03 PM, Tomas Pospisek wrote: But isn't subscribing participants natural? Posting to a bug report means participation and thus you'd get the follow-ups. Why would you post to a bug report if you aren't interested in what happens with it, how things proceed/evolve? It is only natural to people who are used to it happening on other bug trackers. People often file bugs for issues they discover in software they don't use or care about, getting followups to those isn't necessary. I can understand your point of view and I think also the why but isn't that position the exception from the rule? That is shouldn't the process be optimized for the common case and allow the exception? The problem is that there is no common case. The only generality I can think of is that people who have been around for a long time generally want the status quo and new people who are usually used to other bug trackers want to be subscribed by default. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6enxdr+m1anjusqeue2cpo4iaasb88ykc8--s7aggk...@mail.gmail.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, 2015-01-19 at 10:03 +0100, Tomas Pospisek wrote: Am 19.01.2015 um 02:03 schrieb Ben Hutchings: No, this would turn the BTS into a (worse) spam vector. But the acknowledgement mail should tell you how to subscribe, if you aren't already subscribed. But isn't subscribing participants natural? It may be natural, but IMO you are underestimating the spam vector problem. Debian's bug submission mechanism does not try to verify you control the email address you are submitting from. Most other bug tracking systems do such authentication, usually by requiring you to create an account. Since there is no verification it becomes trivial to sign someone up to 1000's of bugs using a script. Treating every bug submission as a subscribe request (by putting a subscribe link in the ack) is one compromise. (I am sort of surprised that doesn't happen already.) Automatically subscribing a DD to any bug he sends a signed message to is another. I am partial to the latter, even though it is a partial solution. It encourages DD to sign their bug reports. IMHO anything we can do to encourage DD's to sign their emails to the project improves our security. signature.asc Description: This is a digitally signed message part
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 11:26 AM, Wookey woo...@wookware.org wrote: +++ Paul Wise [2015-01-19 17:14 +0800]: On Mon, Jan 19, 2015 at 5:03 PM, Tomas Pospisek wrote: I can understand your point of view and I think also the why but isn't that position the exception from the rule? That is shouldn't the process be optimized for the common case and allow the exception? The problem is that there is no common case. The only generality I can think of is that people who have been around for a long time generally want the status quo and new people who are usually used to other bug trackers want to be subscribed by default. I want to be subscribed to bugs I submit (by default). It annoys me that this doesn't happen and I miss replies or updates. Occaisionally I submit bugs I'm not actually very interested in, but that's not the usual case. Can someone remind me what the current rules are (or where it's written down). I know it doesn't work the way I expect it ought to, but I forget/never-understood exactly how it does work. Do maintainers always get the initial mail to a bug, but not the rest, unless they subscribe? That seems rather unhelpful if so (as illustrated by Mr Capper's frustration at the start of this thread) Through my experience this is not the case - even the maintainer doesn't get mail about a bug. For example I'm listed as a maintainer of epubcheck package, but I didn't receive any email about reported bug #773366. I've sent a mail to ow...@bugs.debian.org asking about absence of any notification about reported bug, but no response since 12/22/14. Eugene -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/capqgmflvr7fq7yv67ybhpj1vwgaz5m5am82aauoi8p5ikbu...@mail.gmail.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On 2015-01-19 11:31, Wookey wrote: I recall looking at that list for the 'maintainer and submitter' option, and being disappointed not to find one. Am I right that the only way to expliticly mail the submitter and the maintainer is to look the submitter's mail up in the initial bugrep and just CC it, whilst replying to bugnum@b.d.o, which will automatically include the maintainer? Yes. If it's done right from the start, you don't have to look their address up though. The Reply-To on the copy of the submission mail sent by the BTS is set to include both the submitter and n@bugs (and therefore the maintainer). Regards, Adam -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/6bc31fef80cf4868adc557ddafaf0...@mail.adsl.funky-badger.org
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
Am 19.01.2015 um 02:03 schrieb Ben Hutchings: On Mon, 2015-01-19 at 08:37 +0800, Paul Wise wrote: On Mon, Jan 19, 2015 at 8:06 AM, Don Armstrong wrote: I'm going to put together a bit more firm of a proposal in the next few weeks, but I think that basically everything but nnn-done@ and nnn-submitter@ should be no different from mailing nnn@, and until I allow submitters to opt out of e-mail, mailing nnn-submitter@ should be no different from e-mailing nnn@ either. I'd very much appreciate the ability to not be auto-subscribed to every bug so please do implement the opt-out thing, preferably before this change is rolled out. Personally, I think subscriptions should work like this: The default should be to auto-subscribe submitters and contributors to bugs. [...] No, this would turn the BTS into a (worse) spam vector. But the acknowledgement mail should tell you how to subscribe, if you aren't already subscribed. But isn't subscribing participants natural? Posting to a bug report means participation and thus you'd get the follow-ups. Why would you post to a bug report if you aren't interested in what happens with it, how things proceed/evolve? I can understand your point of view and I think also the why but isn't that position the exception from the rule? That is shouldn't the process be optimized for the common case and allow the exception? Technically the exception could be implemented by adding a further pseudo header to the message body: Subscribe: false Another technical solution could be as noted in a different mail in this thread to allow submitters to set a global flag that says don't automatically subscribe me on participation. ? Thanks *t -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54bcc865.4090...@sourcepole.ch
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On 2015-01-19 10:47, Mattia Rizzolo wrote: On Mon, Jan 19, 2015 at 09:26:41AM +, Wookey wrote: Can someone remind me what the current rules are (or where it's written down). I know it doesn't work the way I expect it ought to, but I forget/never-understood exactly how it does work. Do maintainers always get the initial mail to a bug, but not the rest, unless they subscribe? That seems rather unhelpful if so (as illustrated by Mr Capper's frustration at the start of this thread) The package maintainer gets all the email releated to the bugs (including responses from control@b.d.o), unless the emails are sent to -quiet@b.d.o. That's incorrect. nnn-submitter doesn't get sent to the maintainer either, as covered earlier in this thread. There's a reference list on https://www.debian.org/Bugs/Developer#followup Regards, Adam -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/d777148cf3a3131f1b362e8826351...@mail.adsl.funky-badger.org
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
Tomas Pospisek t...@sourcepole.ch writes: But isn't subscribing participants natural? Posting to a bug report means participation and thus you'd get the follow-ups. Why would you post to a bug report if you aren't interested in what happens with it, how things proceed/evolve? Most other bug systems require at least a weak authentication step before letting you comment on a bug, so there's some reasonable binding of identity of the person commenting with an email address. This is not true for the Debian BTS. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87d26ahg4x@hope.eyrie.org
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, Jan 19, 2015 at 8:06 AM, Don Armstrong wrote: I'm going to put together a bit more firm of a proposal in the next few weeks, but I think that basically everything but nnn-done@ and nnn-submitter@ should be no different from mailing nnn@, and until I allow submitters to opt out of e-mail, mailing nnn-submitter@ should be no different from e-mailing nnn@ either. I'd very much appreciate the ability to not be auto-subscribed to every bug so please do implement the opt-out thing, preferably before this change is rolled out. Personally, I think subscriptions should work like this: The default should be to auto-subscribe submitters and contributors to bugs. Every email address can have an auto-subscribe value associated with it to override that. Every bug submission and mail to @ can include a Subscribe header to override that. There should be a set of addresses that are auto-subscribed to all bugs relating to individual packages. Current Maintainers/Uploaders should be automatically included in that set, at least until we get rid of those headers. The list of subscribers should be visible on the bug web page and reply links shouldn't include subscribers who are subscribed. A reply to all link could be used to mail the bug and everyone who contributed to the bug that isn't subscribed. The Reply-To and Mail-Followup-To headers should be set if they aren't already so that people don't get duplicate mails. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6fadvpad8ei9zhdfg5psch0vjxgjx2zecqn6fdv6wf...@mail.gmail.com
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Mon, 2015-01-19 at 08:37 +0800, Paul Wise wrote: On Mon, Jan 19, 2015 at 8:06 AM, Don Armstrong wrote: I'm going to put together a bit more firm of a proposal in the next few weeks, but I think that basically everything but nnn-done@ and nnn-submitter@ should be no different from mailing nnn@, and until I allow submitters to opt out of e-mail, mailing nnn-submitter@ should be no different from e-mailing nnn@ either. I'd very much appreciate the ability to not be auto-subscribed to every bug so please do implement the opt-out thing, preferably before this change is rolled out. Personally, I think subscriptions should work like this: The default should be to auto-subscribe submitters and contributors to bugs. [...] No, this would turn the BTS into a (worse) spam vector. But the acknowledgement mail should tell you how to subscribe, if you aren't already subscribed. Ben. -- Ben Hutchings Larkinson's Law: All laws are basically false. signature.asc Description: This is a digitally signed message part
Re: Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
On Sun, 18 Jan 2015, Tomas Pospisek wrote: I guess, changing semantics of bugnumber[-something]@b.d.o yet again will not be considered. Actually, I think that the way we handle nnn-* is pretty much wrong, but it's wrong for mainly historical and manpower reasons. I'm going to put together a bit more firm of a proposal in the next few weeks, but I think that basically everything but nnn-done@ and nnn-submitter@ should be no different from mailing nnn@, and until I allow submitters to opt out of e-mail, mailing nnn-submitter@ should be no different from e-mailing nnn@ either. I don't know what to do about contributors to a bug being e-mailed as well, but maybe even they should also be e-mailed by default... but I've been making the perfect the enemy of the good for too long here, I think. -- Don Armstrong http://www.donarmstrong.com He was wrong. Nature abhors dimensional abnormalities, and seals them neatly away so that they don't upset people. Nature, in fact, abhors a lot of things, including vacuums, ships called the Marie Celeste, and the chuck keys for electric drills. -- Terry Pratchet _Pyramids_ p166 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150119000632.gj21...@teltox.donarmstrong.com
Who gets an email when with bugreports [was: Re: Unauthorised activity surrounding tbb package]
Am 18.01.2015 um 17:41 schrieb Andreas Tille: On Sun, Jan 18, 2015 at 01:07:35PM +, Mark Brown wrote: On Sun, Jan 18, 2015 at 10:09:34AM +0100, Andreas Tille wrote: On Fri, Jan 16, 2015 at 04:48:33PM +, Steven Capper wrote: we have had no discussion over #773359; your response is effectively placing words in my mouth and I will not tolerate that. To confound matters, I wasn't even CC'ed in on the response! Usually it is expected that the maintainer receives every posting to the bugs of the package he maintains. So there was no real point to add an additional CC. The followups were sent to -submitter which unfortunately explicitly doesn't CC the maintainer (I guess the main intended use case is for the maintainer to talk to the submitter), an extra CC needs to be added to include the maintainer. OK, that's a bit unfortunate. On the other hand the fact that Steven as maintainer did not checked the bug log of an RC bug for nearly one month (and he received the original bug report) remains a good reason for anybody else who is interested in the Jessie release to react. I think the semantics of x...@bugs.debian.org are very unfortunate. My *intuition* is always making me believe that everything sent to bugnum...@bugs.debian.org should go to /everbody involved in the bugreport's thread/. But that's no so. From that fact stem (as far as my understanding goes) a lot of rules who gets what when sending email to bugnumber-someth...@bugs.debian.org. And additionally there's the subscription to a bug as well. I have regularly problems with people posting to bugreports I'm participating in, that I don't get, because I'm not subscribed to them (so now I should be managing subscriptions to all bugs I've ever participated in...) or because reporters didn't write to the right bugnumber-***@bugs.debian.org and Cc: addresses, or because they didn't care or because... That's bad, because - as shown in the thread off which this posting is forking off - reasoning about and discussion in bugreports fades off into interpretations about why one did or did not get an email and that's not helpful when dealing with potentially (emotionally) sensitive bugs. I guess, changing semantics of bugnumber[-something]@b.d.o yet again will not be considered. But I think a lot of unnecessary friction stems from the unclear or unintuitive or not defined where people would see them semantics. I do not want this observation be understood as a critique of the people who are involved in the creation of those rules. There might be many reason for them being so, many of which I have no insight into (but I am certainly appreciating that work very much). *t -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54bc1734.5050...@sourcepole.ch