Bug#438494: Mail response to trackers don't work.

2007-08-17 Thread Sascha Wilde 
Package: gforge-common
Version: 4.5.14-22

It isn't possible to reply to tracker issues per mail.
This issue was fixed by removing the blurb about replying by mail
being possible from the tracker generated mails in version 4.5.14-2.

This workaround isn't acceptable, as the ability to reply per mail is
an important standard feature of tracking systems which definitely
shoul work.

Hints on resolving this:
- the mail addresses deeded for reply are missing from the database,
  maybe a view mta_trackers (according to mta_lists and mta_users) is
  needed?

cheers
sascha
-- 
Sascha Wilde  OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Bug#438494: Mail response to trackers don't work.

2007-08-17 Thread Roland Mas 
Sascha Wilde, 2007-08-17 14:25:48 +0200 :

 It isn't possible to reply to tracker issues per mail.  This issue
 was fixed by removing the blurb about replying by mail being
 possible from the tracker generated mails in version 4.5.14-2.

 This workaround isn't acceptable, as the ability to reply per mail
 is an important standard feature of tracking systems which
 definitely shoul work.

While it's not hard to enable (I've made it work on a local instance),
it's not something I'm currently considering to do, for the very
simple reason that it completely bypasses any kind of security checks.
Trusting the From: header of any random mail sent to a well-known (or
easily guessed) address and accepting that as a proof of identity
is... not good.  Oh, and it won't work anyway if two Gforge accounts
share a single mail address.

  The same applies to posting to forums, by the way.

Roland.
-- 
Roland Mas

Infinity contains more things than you think.  Everything, for a start.
  -- in Witches Abroad (Terry Pratchett)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#438494: [Sascha Wilde] Re: Bug#438494: Mail response to trackers don't work.

2007-08-17 Thread Roland Mas 
---BeginMessage---
Roland Mas [EMAIL PROTECTED] writes:
 Sascha Wilde, 2007-08-17 14:25:48 +0200 :

 It isn't possible to reply to tracker issues per mail.  This issue
 was fixed by removing the blurb about replying by mail being
 possible from the tracker generated mails in version 4.5.14-2.
[...]
 While it's not hard to enable (I've made it work on a local
 instance),

So, maybe you could send me the required patch?

 it's not something I'm currently considering to do, for the very
 simple reason that it completely bypasses any kind of security checks.
 Trusting the From: header of any random mail sent to a well-known (or
 easily guessed) address and accepting that as a proof of identity
 is... not good.

I agree, it sucks, just like IMHO the whole build in trackers do, but
some of our hosted projects are strongly demanding it.

And after all: it isn't any worse than sf.net is (was?) or any GForge
installation made from the official upstream tarballs, or is it?

oh btw.: is it intentional too, that most of the administrative
mailman addresses are missing or broken?

FYI, here is a fixed version I use on our server:

CREATE VIEW fixed_mta_lists AS
SELECT
list_name,
list_name || '-request' AS list_request_name,
list_name || '-owner' AS list_owner_name,
'|/var/lib/mailman/mail/mailman post ' || list_name || '' AS 
post_address,
'|/var/lib/mailman/mail/mailman admin ' || list_name || '' AS 
admin_address,
'|/var/lib/mailman/mail/mailman bounces ' || list_name || '' 
AS bounces_address,
'|/var/lib/mailman/mail/mailman confirm ' || list_name || '' 
AS confirm_address,
'|/var/lib/mailman/mail/mailman join ' || list_name || '' AS 
join_address,
'|/var/lib/mailman/mail/mailman leave ' || list_name || '' AS 
leave_address,
'|/var/lib/mailman/mail/mailman owner ' || list_name || '' AS 
owner_address,
'|/var/lib/mailman/mail/mailman request ' || list_name || '' 
AS request_address,
'|/var/lib/mailman/mail/mailman subscribe ' || list_name || 
'' AS subscribe_address,
'|/var/lib/mailman/mail/mailman unsubscribe ' || list_name || 
'' AS unsubscribe_address
FROM mail_group_list
WHERE status = 3;


cheers
sascha
-- 
Sascha Wilde  OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


pgpDVBj3TaTKH.pgp
Description: PGP signature
---End Message---

-- 
Roland Mas

Depuis 1977.