[dist-bugs] Bug wars

Enrico Zini enrico at enricozini.org
Thu Jul 10 12:16:20 EDT 2008 

Hello,

Thank you all for the very stimulating discussion.

I was wondering, how would a bug war be handled in a system where bug
state information is posted by anyone and automatically harvested and
collected from all over the net?

It would be easy, for example, to write a script that looks for buginfos
that close a specific bug, and automatically publishes a new buginfo
that reopens it.  An angry user that loses his mind could even spam
buginfos in random web forums or obscure wikis.  Or spammers could add
buginfos to their forum/wiki spam in order to get their spam messages
pulled in other BTSes.

IIRC (I'm offline now and I can't check Joey's initial proposal)
buginfos are gpg signed, so theoretically you can blacklist
contributions from well-known bad signatures; however, you need a way to
agree on what signatures are bad, or people will post buginfos based on
the bad entries.  And then, a new disposable gpg key can be generated
cheaply at any time.

The only thing that comes to my mind is to fish buginfos only from a
whitelist of sources: the Debian BTS could have a list of other BTSes to
track, and every debian package could have a list of BTSes to track, and
debbugs would only fish from them those bugs related to that package.

But then you'd need a way to name packages univocally across
distributions, which is hard (think of the "git" package in debian, or
library names).

Or one can do it the DVCS way, pulling from specific sources only upon
user request.

However is done, a security model limits the user experience and the
scope of a tool, so it's an important aspects of design.  I could
definitely conceed, however, that at this point it's still too early to
discuss securing the system, as most of the discussion is still on
whether the system would work at all (but it does look like it would, so
when do we declare that Joey's initial proposal stands?).


Ciao,

Enrico

-- 
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://kitenet.net/pipermail/dist-bugs/attachments/20080710/2a5aae51/attachment.pgp>

More information about the dist-bugs mailing list