On Fri, 15 Apr 2016, Drake Wilson wrote:

> Package: lists.debian.org
> Severity: important
> 
> We seem to be having a recurring problem of people who want off 
> debian-security-announce
> unintentionally bothering debian-security about it, or trying to unsubscribe 
> to the latter
> list and then finding it doesn't do what they want.  Then they feel helpless 
> and start
> spewing messages in all directions, because feeling unable to shut off an 
> unpredictable
> stimulus that repeatedly yanks one's attention has a way of jamming spikes 
> into one's
> psyche.  This also means people who want to be on debian-security get these 
> messages
> flung at them as a side effect.
> 
> I think it would be more reasonable to set the Reply-To address for d-s-a 
> posts to a
> robot that responds with a canned message to the effect of "if you wish to 
> discuss this
> further, subscribe to debian-security and post anew there; if you wish to 
> unsubscribe,
> you should be asking debian-security-announce-request; if you actually meant 
> to send
> this to your colleagues at the NOC, you can ignore this message but you might 
> want
> to be more careful in the future".  Bonus points if it recognizes the second 
> case
> and automatically does the first step of the process, so that a reply to the 
> first
> canned message does the unsubscribe-confirmation step.
> 
> By this, I mean that if this address is being set by the senders of such 
> messages,
> the policy should be changed; if it is being set by the mailing list software,
> it should be reconfigured; and if it is being set by the senders because the 
> mail
> may be replicated in multiple places, the mailing list software should be 
> configured
> to munge the header on d-s-a only.  If there is some other process going on, 
> extrapolate
> accordingly.
> 
> The expanded form of this:
> 
>  1. The Reply-To address for messages on debian-security-announce generally 
> points
>     to debian-security.  This is unusual; why is this done in the first 
> place?  The
>     obvious reason is "so that people who wish to discuss DSAs further can do 
> so on
>     debian-security conveniently", but if that's the only reason, I think the 
> side
>     effects are intolerable by comparison.
> 
>     1a. People who are potentially knowledgeable also don't readily recognize 
> this,
>         often treat the situation as the usual "asking _on the list from 
> which one
>         wishes to be unsubscribed_" situation, and then provide the _wrong_ 
> -request
>         address while trying to help the hapless users who just don't want 
> their
>         mailbox flooded with stuff which is now irrelevant to them.  If this 
> then
>         starts showing up in Web searches and misleads the next user who 
> tries to
>         unsubscribe and maybe does a little more research first, so much the 
> worse!
> 
>  2. I _assume_ what's happening is users are pressured to subscribe to d-s-a 
> when
>     they start using Debian, because of important announcements.  These 
> people are
>     _not_ necessarily even aware of the idea of getting involved in the 
> interactive
>     mailing list culture of Debian, and certainly are unlikely to read the 
> codes of
>     conduct for the lists first.  They later stop using Debian, or decide 
> that they
>     will handle security announcements some other way (possibly a bad way, 
> but that's
>     a separate problem), but now they can't figure out how to stop receiving 
> all this
>     mail.
> 
>     2a. Importantly: these people may not be used to using mailing lists of 
> the more
>         usual "free-software world" type _at all_!  Nor is it realistic to 
> expect
>         them to handle the cognitive load of remembering such things between 
> a one-off
>         event and a distant point in time.
> 
>     2b. Note that the pressure to subscribe to d-s-a may come from other 
> well-meaning
>         individuals providing tutorials or such, so there's no way to get all 
> of them.
> 
>  3. Posts to d-s-a have no human-readable subscription-manipulation 
> information in
>     the body, so there's no reminder of what to do that actually shows up at 
> the time.
>     It would sure be nice if _everyone's_ clients respected List-Unsubscribe 
> headers
>     (and if they knew how to request this function in their client!) but 
> obviously
>     this isn't consistently true; see (2a).
> 
>     3a. This, in combination with (1), passively encourages users to violate 
> the "If
>         you send messages to lists to which you are not subscribed, always 
> note that
>         fact in the body of the message" policy in the Debian lists code of 
> conduct,
>         because it makes it very easy to forget; normally, sending to lists 
> to which
>         one is not subscribed has much more of a conscious barrier to it.  
> This is
>         true even for users who are notionally aware of the situation.
> 
>  4. debian-security (like most Debian lists) isn't filtering messages from 
> unsubscribed
>     individuals, which isn't inherently bad, but amplifies the rest of this 
> quite badly
>     because it means unrelated individuals who _do_ want to engage 
> interactively take
>     splash noise.
> 
>     4a. Whatever filter is supposed to be keeping administrivia from hitting 
> the
>         list in general obviously isn't working; "machine learning is hard" 
> aside,
>         I repeatedly see messages with the subject or first line literally 
> being
>         "unsubscribe" in its entirety.  In any event, this wouldn't help with 
> everything,
>         because inattentive replies in general (which are coming from a 
> psychological
>         context of not being in "interactive mailing list mode") and 
> unsuitably-configured
>         out-of-office autoresponders are also problems, and all of these seem 
> to come
>         from the same disconnect between action and effect caused by the 
> weird Reply-To
>         configuration.
> 
> Thus my suggestion at the top.
> 
> Aside from any of that, I'd volunteer to play docent to the users affected by 
> this
> if I had the energy over time, but I really don't.  If there's a one-off 
> action I
> can do to help, it would be nice to know what it is in case I can manage it 
> somehow.
> 
> Can we please get this to stop?
It is not up to listmasters to decide that. The policy of a list is decided
by its owners - the security team in that case - if the security team decides
about a different policy, we will try to set it up. 

Alex
 

Reply via email to