On Wed November 1 2006 16:20, Javier Fernández-Sanguino Peña wrote: > When I have suggested that (sending signed messages to the BTS to be > accepted for processing) it was > > a) for mails to -close or to [EMAIL PROTECTED] to prevent a > spammer/malicious person from closing all the bugs or mangling with > the BTS in such a way that would take us some effort to recover > > b) restricted to providing a signed mail, not necessarily with a > signature in the DD keyring. (this could be added later on to prevent > abuse, if needed be and could still have a 'whitelist' of valid keys > which could include non-DDs) > > If there's a non-DD playing with the BTS (closing bugs or using > control@) I guess it's not really too much to ask for them to use > signed e-mails when fiddling with it. Is it?
I don't think so. Although, it is weaker than a pseudoheader since it would be easier for spammers to sign their messages than look up the package name associated with a particular bug number, and less effort than keeping a whitelist. Furthermore, it would be clear that a spammer was targeting Debian if they did the name<->number look up... which would make it easier to make a case that they are intentionally interfering with Debian's systems. Keep in mind that my original response was to your post which stated: "...implemented so as to only consider GPG/PGP signed mail from DDs..." - Bruce
