[dist-bugs] Bug wars

Joey Hess joey at kitenet.net
Thu Jul 10 17:01:11 EDT 2008 

Enrico Zini wrote:
> I was wondering, how would a bug war be handled in a system where bug
> state information is posted by anyone and automatically harvested and
> collected from all over the net?
> 
> It would be easy, for example, to write a script that looks for buginfos
> that close a specific bug, and automatically publishes a new buginfo
> that reopens it.  An angry user that loses his mind could even spam
> buginfos in random web forums or obscure wikis.  Or spammers could add
> buginfos to their forum/wiki spam in order to get their spam messages
> pulled in other BTSes.
> 
> IIRC (I'm offline now and I can't check Joey's initial proposal)
> buginfos are gpg signed, so theoretically you can blacklist
> contributions from well-known bad signatures; however, you need a way to
> agree on what signatures are bad, or people will post buginfos based on
> the bad entries.  And then, a new disposable gpg key can be generated
> cheaply at any time.
> 
> The only thing that comes to my mind is to fish buginfos only from a
> whitelist of sources: the Debian BTS could have a list of other BTSes to
> track, and every debian package could have a list of BTSes to track, and
> debbugs would only fish from them those bugs related to that package.
> 
> But then you'd need a way to name packages univocally across
> distributions, which is hard (think of the "git" package in debian, or
> library names).
> 
> Or one can do it the DVCS way, pulling from specific sources only upon
> user request.
> 
> However is done, a security model limits the user experience and the
> scope of a tool, so it's an important aspects of design.  I could
> definitely conceed, however, that at this point it's still too early to
> discuss securing the system, as most of the discussion is still on
> whether the system would work at all (but it does look like it would, so
> when do we declare that Joey's initial proposal stands?).

Definitly relevant stuff to be thinking about, and I think this applies
to any really distributed bug tracker, not just my buginfo proposal.

BTW, I'm not trying to make a proposal that group decides to use. I'm
just exploring ideas, and if they don't seem too broken, might
eventually implement something with a low enough barrier to entry that
it gets used. :-)

Anyway, I happen to discuss some of these issues WRT buginfo in the next
chapter of my proposal ("handling disagreements"), which I am not 100%
happy with, but does address at least some of the issues. I'll post it
now.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://kitenet.net/pipermail/dist-bugs/attachments/20080710/8935b748/attachment.pgp>

More information about the dist-bugs mailing list