On Sat, 12 Nov 2005 10:35:29 -0700 (MST)
"M. Warner Losh" <[EMAIL PROTECTED]> wrote:

> I've had a couple of private suggestions sent to me.
> The first is to create a raw-query-pr.cgi that will just serve up one
> PR in raw format with no links to this page.
> The second is to add another parameter to query-pr that changes
> quarterly.  pass=bluestarts this quarter, pass=yellowdiamons next, etc
> (well, we wouldn't use the ingrediants to lucky charms as a
> password).  This level of security is the same that exist on certain
> invitation only IRC channels that are out there.  Someone has to tell
> you the password, and the password changes from time to time.  Since
> developer mail is project confidencial, I would guess it would be
> sufficient to email the new password once a quarter.
> The ugly alternative is to have a 'members only' section of the
> website where you have to login.  In that section, we could also give
> the full names.  However, this suffers from the inability to easily
> use with 'fetch'.
> The forth alternative is those goofy 'tell me what's in this box'
> schemes.  Prove you are a human.  This sounds more burdonsome than
> logging into freefall to do the query-pr, which is Kris' main
> objection to the new change.

Those, and specially the one we use, are too easy to circumvent. There's
somewhere a page (maybe available on the links section on my homepage
or still as a "add me to the links section"-mail somewhere in my
inbox...) which dissects a lot of those schemes and also provides code
how to circumvent them.

With the current scheme in place we also can just render the email
address as a picture. It provides the same protection and also has the
same drawbacks for a committer.

A better alternative would be to obfuscate the address, e.g. replacing
the "@" with an "at" or with a space or an ampersand or a percent sign
or whatever (even randomizing the replacement would be possible). And
replacing dots with something else.

This would result in at least the same computational complexity for
address-harvesters and it would allow to just cut and paste the
addresses. It gives the additional benefit that sites such as
freshports (or our/foreign mail archives) provide the same obfuscation
without any further work.


               Speak softly and carry a cellular phone.

http://www.Leidinger.net                       Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7
cvs-all@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to