Martin v. Löwis <mar...@v.loewis.de> added the comment: I think some indication must be given to a legitimate user, as the user otherwise may not recall what email account to check. In the specific case of bugs.python.org, it may, in particular, be a sourceforge address.
If people are worried that users massively read out email addresses from the bug tracker, I'd rather rate-limit password reset operations by IP address, to one reset per hour. If users use this to research a specific email address of a specific user account, I'd rather not stop them from doing so. People who are too worried about revealing their email address should arrange to use a separate address for places such as the bug tracker. ---------- nosy: +loewis _______________________________________________________ PSF Meta Tracker <metatrac...@psf.upfronthosting.co.za> <http://psf.upfronthosting.co.za/roundup/meta/issue430> _______________________________________________________ _______________________________________________ Tracker-discuss mailing list Tracker-discuss@python.org http://mail.python.org/mailman/listinfo/tracker-discuss
