Debian Bug report logs - #590269
create a web-based submission for use with reportbug and possibly everything

Package: debbugs; Maintainer for debbugs is Debbugs developers <debian-debbugs@lists.debian.org>; Source for debbugs is src:debbugs.

Reported by: Stefano Zacchiroli <zack@debian.org>

Date: Sun, 25 Jul 2010 00:12:02 UTC

Severity: wishlist

Tags: patch

Blocking fix for 590214: support for submitting bug reports via http

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, Reportbug Maintainers <reportbug-maint@lists.alioth.debian.org>:
Bug#590214; Package reportbug. (Sun, 25 Jul 2010 00:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefano Zacchiroli <zack@debian.org>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, Reportbug Maintainers <reportbug-maint@lists.alioth.debian.org>. (Sun, 25 Jul 2010 00:12:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefano Zacchiroli <zack@debian.org>
To: submit@bugs.debian.org
Subject: support for submitting bug reports via http
Date: Sun, 25 Jul 2010 02:07:48 +0200
[Message part 1 (text/plain, inline)]
Package: reportbug
Version: 4.12.4
Severity: normal

On Sat, Jul 24, 2010 at 11:50:36PM +0100, Ben Hutchings wrote:
> On Sat, 2010-07-24 at 15:06 -0400, Holger Levsen wrote:
> > So, to summarize: a.) I still think reportbug should be able to submit bugs 
> > using port 80
> 
> Agreed.

Ditto.
As I haven't been able to find a feature request for that, here is one!

Dear reportbug maintainers, the contest of this request is the -devel
(sub)thread started at
<http://lists.debian.org/debian-devel/2010/07/msg00492.html>. In
subsequent messages, it has been argued that permitting to report bugs
via http (actually, via port 80 ...) would remove some more barriers to
bug reporting, due to firewalling and the like.

I understand that for such a feature mere support in reportbug isn't
enough, so you might want to block this feature request by some other
feature request on debbugs (I haven't yet checked whether the latter
request already exists or not).

Cheers


PS that thread just made me try again the GTK2 UI of reportbug: it's
   just *great* nowadays, kudos!

-- 
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..|  .  |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
[signature.asc (application/pgp-signature, inline)]

Bug 590214 cloned as bug 590269. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sun, 25 Jul 2010 12:57:01 GMT) Full text and rfc822 format available.

Bug reassigned from package 'reportbug' to 'debbugs'. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sun, 25 Jul 2010 12:57:04 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions reportbug/4.12.4. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sun, 25 Jul 2010 12:57:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'create a web-based submission for use with reportbug and possibly everything' from 'support for submitting bug reports via http' Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sun, 25 Jul 2010 12:57:05 GMT) Full text and rfc822 format available.

Severity set to 'wishlist' from 'normal' Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sun, 25 Jul 2010 12:57:06 GMT) Full text and rfc822 format available.

Added blocking bug(s) of 590269: 590214 Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sun, 25 Jul 2010 12:57:07 GMT) Full text and rfc822 format available.

Removed blocking bug(s) of 590269: 590214 Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 25 Jul 2010 13:51:11 GMT) Full text and rfc822 format available.

Added indication that bug 590269 blocks 590214 Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 25 Jul 2010 13:51:13 GMT) Full text and rfc822 format available.

Information stored :
Bug#590269; Package debbugs. (Sun, 25 Jul 2010 14:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefano Zacchiroli <zack@debian.org>:
Extra info received and filed, but not forwarded. (Sun, 25 Jul 2010 14:00:05 GMT) Full text and rfc822 format available.

Message #26 received at 590269-quiet@bugs.debian.org (full text, mbox):

From: Stefano Zacchiroli <zack@debian.org>
To: Don Armstrong <don@debian.org>, Sandro Tosi <morph@debian.org>
Cc: 590269-quiet@bugs.debian.org
Subject: Re: teaching users how to submit good bug reports
Date: Sun, 25 Jul 2010 15:57:44 +0200
[Message part 1 (text/plain, inline)]
On Sun, Jul 25, 2010 at 05:36:46AM -0700, Don Armstrong wrote:
> clone 590214 -1
> reassign -1 debbugs
> retitle -1 create a web-based submission for use with reportbug and possibly everything
> severity -1 wishlist
> block -1 by 590214

Thanks Don!  I took the freedom of inverting the block relationship
though; arguably Sandro can't go forward with support on the reportbug
side until there's support in debbugs :-)

BTW, since reportbug it's already using the SOAP interface for bug
querying and the mail interface for bug submission, the simplest way
forward is probably just to add a submit SOAP method, which takes a
complete (MIME?) mail as payload and delivers it locally. Just my 0.02€.

Keep up the good work,
Cheers.

-- 
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..|  .  |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#590269; Package debbugs. (Sun, 25 Jul 2010 14:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sandro Tosi <morph@debian.org>:
Extra info received and filed, but not forwarded. (Sun, 25 Jul 2010 14:12:05 GMT) Full text and rfc822 format available.

Message #31 received at 590269-quiet@bugs.debian.org (full text, mbox):

From: Sandro Tosi <morph@debian.org>
To: Stefano Zacchiroli <zack@debian.org>
Cc: Don Armstrong <don@debian.org>, 590269-quiet@bugs.debian.org
Subject: Re: teaching users how to submit good bug reports
Date: Sun, 25 Jul 2010 16:08:32 +0200
Hi,

On Sun, Jul 25, 2010 at 15:57, Stefano Zacchiroli <zack@debian.org> wrote:
> On Sun, Jul 25, 2010 at 05:36:46AM -0700, Don Armstrong wrote:
>> clone 590214 -1
>> reassign -1 debbugs
>> retitle -1 create a web-based submission for use with reportbug and possibly everything
>> severity -1 wishlist
>> block -1 by 590214
>
> Thanks Don!  I took the freedom of inverting the block relationship
> though; arguably Sandro can't go forward with support on the reportbug
> side until there's support in debbugs :-)
>
> BTW, since reportbug it's already using the SOAP interface for bug
> querying

*cough* *cough* reportbug is still using web scraping to get bugs
information :( I have plan to use SOAP soon (FSVO soon) but it's not
there yet, and I don't think it would be a wise idea to code it just
before the freeze starts.

> and the mail interface for bug submission, the simplest way
> forward is probably just to add a submit SOAP method, which takes a
> complete (MIME?) mail as payload and delivers it locally. Just my 0.02€.

for sure that would help to have a consistent way to interact with
debbugs, given SOAP it's already used, let's just continue with that,
what do you think?

Cheers,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi




Information forwarded to debian-bugs-dist@lists.debian.org, Debbugs developers <debian-debbugs@lists.debian.org>:
Bug#590269; Package debbugs. (Wed, 28 Jul 2010 07:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sandro Tosi <morph@debian.org>:
Extra info received and forwarded to list. Copy sent to Debbugs developers <debian-debbugs@lists.debian.org>. (Wed, 28 Jul 2010 07:30:05 GMT) Full text and rfc822 format available.

Message #36 received at 590269@bugs.debian.org (full text, mbox):

From: Sandro Tosi <morph@debian.org>
To: Olivier Berger <olivier.berger@it-sudparis.eu>, 590214@bugs.debian.org, 590269@bugs.debian.org
Cc: Stefano Zacchiroli <zack@debian.org>
Subject: Re: Bug#590214: support for submitting bug reports via http
Date: Wed, 28 Jul 2010 09:26:12 +0200
Hello Olivier,

On Wed, Jul 28, 2010 at 09:12, Olivier Berger
<olivier.berger@it-sudparis.eu> wrote:
> Hi.
>
> On Sun, Jul 25, 2010 at 02:07:48AM +0200, Stefano Zacchiroli wrote:
>>
>> On Sat, Jul 24, 2010 at 11:50:36PM +0100, Ben Hutchings wrote:
>> > On Sat, 2010-07-24 at 15:06 -0400, Holger Levsen wrote:
>> > > So, to summarize: a.) I still think reportbug should be able to submit bugs
>> > > using port 80
>> >
>> > Agreed.
>>
>> Ditto.
>> As I haven't been able to find a feature request for that, here is one!
>>
>> Dear reportbug maintainers, the contest of this request is the -devel
>> (sub)thread started at
>> <http://lists.debian.org/debian-devel/2010/07/msg00492.html>. In
>> subsequent messages, it has been argued that permitting to report bugs
>> via http (actually, via port 80 ...) would remove some more barriers to
>> bug reporting, due to firewalling and the like.
>>
>> I understand that for such a feature mere support in reportbug isn't
>> enough, so you might want to block this feature request by some other
>> feature request on debbugs (I haven't yet checked whether the latter
>> request already exists or not).
>>
>
> May I suggest that it would be great if debbugs was to support a standard like OSLC-CM for bug submission through REST POSTs (through HTTP/HTTPs) and reportbug would speak this standard as a client.

so you should have sent this comment to 590269, where it's actually
requested the http submission feature in debbugs, not on the reportbug
bug, that's downstream of 590269.

> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=565513 which already proposed some ideas regarding OSLC-CM.
>
> IMHO, REST offers many advantages over SOAP in this respect (including the ability to interlink bugs using linked-data approach), and OSLC-CM may some day become a standard for interoperability between bugtrackers, so other tools than reportbug could be used too (more likely candidate so far : Mylyn in Eclipse).

Anyhow, I find it rather odd to call OSLC-CM "standard" or "more
standard than SOAP", since I've never heard of it, and I worked a lot
on interoperability between heterogeneous systems, where I find SOAP
(or plain REST) a lot more usable than any other rich format. The
lower the entry level, the easier for tools & people to adapt to it.
SOAP it's already available on BTS side, so it has definitely and
advantage over others.

Anyhow, it's a decision debbugs owner has to take, and so this is only
a comment; i'll just use what will be available.

Regards,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi




Information forwarded to debian-bugs-dist@lists.debian.org, Debbugs developers <debian-debbugs@lists.debian.org>:
Bug#590269; Package debbugs. (Wed, 28 Jul 2010 09:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to Debbugs developers <debian-debbugs@lists.debian.org>. (Wed, 28 Jul 2010 09:09:07 GMT) Full text and rfc822 format available.

Message #41 received at 590269@bugs.debian.org (full text, mbox):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: Sandro Tosi <morph@debian.org>
Cc: 590269@bugs.debian.org, Stefano Zacchiroli <zack@debian.org>, 565513@bugs.debian.org, 590214@bugs.debian.org
Subject: OSLC-CM discussion - Was: Re: Bug#590214: support for submitting bug reports via http
Date: Wed, 28 Jul 2010 11:05:34 +0200
Ciao Sandro.

Le mercredi 28 juillet 2010 à 09:26 +0200, Sandro Tosi a écrit :
> Hello Olivier,
> 
>         > May I suggest that it would be great if debbugs was to
>         support a standard like OSLC-CM for bug submission through
>         REST POSTs (through HTTP/HTTPs) and reportbug would speak this
>         standard as a client.
>         
> so you should have sent this comment to 590269, where it's actually
> requested the http submission feature in debbugs, not on the reportbug
> bug, that's downstream of 590269.
> 

That's what I thought I had done... using bts --mbox show 590269
but I was tricked by the automatic proposal to CC 590214 :-(... anyway,
the principle is that both server (debbugs) and client (reportbug)
should speak the same language, so that's not completely off-topic...
it's just that the server is more concerned by interoperability with
more clients probably.

Thanks for fixing and CC-ing the proper debbugs one.

>         > See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=565513
>         which already proposed some ideas regarding OSLC-CM.
>         >
>         > IMHO, REST offers many advantages over SOAP in this respect
>         (including the ability to interlink bugs using linked-data
>         approach), and OSLC-CM may some day become a standard for
>         interoperability between bugtrackers, so other tools than
>         reportbug could be used too (more likely candidate so far :
>         Mylyn in Eclipse).
>         
> Anyhow, I find it rather odd to call OSLC-CM "standard" or "more
> standard than SOAP", since I've never heard of it, and I worked a lot
> on interoperability between heterogeneous systems, where I find SOAP
> (or plain REST) a lot more usable than any other rich format.

In can understand your point as I've been myself working on bugtracker
interoperability for years and only heard about OSLC-CM one year only
after they had started to elaborate the process.

The fact that you never heard of OSLC-CM is probably related to you not
noticing my numerous posts about it ;), but more seriously, because it
has mainly been elaborated by big proprietary vendors.

Notice I haven't called it "more standard than SOAP". It's just that it
has all properties of a good standard, i.e. a specs which propose some
properties, and not just one instance of an API of a particular tool.

But in any case, I think *if* one thinks about designing a new API, and
REST is an option, then I would definitely *advise* to check OSLC-CM [0]
instead of reinventing another wheel. If the properties of OSLC-CM don't
fit, then... ok... but just because you ignore something doesn't dismiss
it I guess... OK, then, now you know about it, if you don't like it,
period.

>  The
> lower the entry level, the easier for tools & people to adapt to it.
> SOAP it's already available on BTS side, so it has definitely and
> advantage over others.
> 

Sure. The point is just, with a (proposed) standard, the couple
reportbug + debbugs may not be the only tools that can implement some
connection between each-other, and adopting OSLC-CM may help foster
interoperability with other tools that (will) speak OSLC-CM (like
Mylyn).

> Anyhow, it's a decision debbugs owner has to take, and so this is only
> a comment; i'll just use what will be available.

Sure, one has to implement something... and the rest is void... only,
now, you are aware that OSLC-CM exists ;)

My 2 cents,

Best regards,
-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)





Information forwarded to debian-bugs-dist@lists.debian.org, Debbugs developers <debian-debbugs@lists.debian.org>:
Bug#590269; Package debbugs. (Fri, 27 May 2011 14:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Debbugs developers <debian-debbugs@lists.debian.org>. (Fri, 27 May 2011 14:06:03 GMT) Full text and rfc822 format available.

Message #46 received at 590269@bugs.debian.org (full text, mbox):

From: Stefano Zacchiroli <zack@debian.org>
To: debian-devel@lists.debian.org
Cc: 590269@bugs.debian.org
Subject: Re: bug reporting workflow is outdated
Date: Fri, 27 May 2011 16:03:42 +0200
[Message part 1 (text/plain, inline)]
On Sun, May 22, 2011 at 10:44:35PM +0200, Pedro Larroy wrote:
> I think expecting having a working smtp on laptops, workstations, etc,
> is unreasonable these days.
> I suggest that we can make an HTTP based bug reporting method.

Life runs in circle: I was about to summarize the discussion and submit
a feature request to keep track of this. I gave up after discovering I
did that about 1 year ago at the last iteration of the very same
discussion (see #590269).

I'm Cc:-ing the bug log to store in it the only new element I've been
able to spot. Namely, it would be nice if the HTTP "transport" could
detect on the fly syntax errors in the bts message, something we can't
do for SMTP (unless we control the MTA of the user).

I'm pretty sure Don welcomes patches for #590269 ...

Cheers.
-- 
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Quando anche i santi ti voltano le spalle, |  .  |. I've fans everywhere
ti resta John Fante -- V. Capossela .......| ..: |.......... -- C. Adams
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debbugs developers <debian-debbugs@lists.debian.org>:
Bug#590269; Package debbugs. (Wed, 08 Jun 2011 09:18:32 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Debbugs developers <debian-debbugs@lists.debian.org>. (Wed, 08 Jun 2011 09:18:36 GMT) Full text and rfc822 format available.

Message #51 received at 590269@bugs.debian.org (full text, mbox):

From: Stefano Zacchiroli <zack@debian.org>
To: 590269@bugs.debian.org
Cc: 590214@bugs.debian.org
Subject: (half) patch to receive reportbug submission via HTTP transport
Date: Wed, 8 Jun 2011 11:14:46 +0200
[Message part 1 (text/plain, inline)]
tags 590269 + patch
thanks

As briefly discussed on IRC, here is (half) patch to implement this
feature request. It's a CGI that:

- receive via HTTP file upload a bug report. The bug report is meant to
  prepared on the user machine by reportbug as usual, so by default it
  will contain all the information that mail-submitted bug reports
  contain

- do some syntax checking on the bug report, and fail with an HTTP error
  code if that fails

- do some mail header sanitization to reduce SPAM effects. AFAICT, after
  sanitization the SPAM risks of using the CGI would be the same that we
  have at present with the mail-based submission interface

It's only half a patch because, for complete testing, we also need a
patch for #590214 (Cc:-ed), i.e. we need support in reportbug for
delivering a MIME bug report via HTTP upload rather than via mail. If a
kind soul can write this, I'll be happy to set up a test instance of the
script for more wide testing.

Note that at present, the following testing path does *not* work
properly:

- prepare a bug report with reportbug
- save it as a draft on disk and quit
- upload the file using the CGI

because the "save to draft" feature of reportbug does not save the
entire MIME bug report (e.g. it lacks attachments and other details). So
we really need proper HTTP upload support in reportbug to proceed.

If nevertheless someone want to test the attached CGI, you need to set
$bts_to to 'submit@bugs.debian.org' and $DEBUG to 0 (see comments in the
source code).

Feedback is welcome,
Cheers.
-- 
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Quando anche i santi ti voltano le spalle, |  .  |. I've fans everywhere
ti resta John Fante -- V. Capossela .......| ..: |.......... -- C. Adams
[http-submit.cgi (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Wed, 08 Jun 2011 09:18:41 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debbugs developers <debian-debbugs@lists.debian.org>:
Bug#590269; Package debbugs. (Tue, 20 Aug 2013 15:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Jean-Michel Vourgère" <jmv_deb@nirgal.com>:
Extra info received and forwarded to list. Copy sent to Debbugs developers <debian-debbugs@lists.debian.org>. (Tue, 20 Aug 2013 15:06:04 GMT) Full text and rfc822 format available.

Message #58 received at 590269@bugs.debian.org (full text, mbox):

From: "Jean-Michel Vourgère" <jmv_deb@nirgal.com>
To: 590269@bugs.debian.org
Cc: Stefano Zacchiroli <zack@debian.org>, Don Armstrong <don@debian.org>, Sandro Tosi <morph@debian.org>, Asheesh Laroia <asheesh@asheesh.org>
Subject: Re: create a web-based submission for use with reportbug and possibly everything
Date: Tue, 20 Aug 2013 15:03:27 +0000
[Message part 1 (text/plain, inline)]
Hello

I'm writing a patch for reportbug, and I believe the cgi might need some minor
tweaks:

If the bugreport is a security problem, reportbug asks whether it is an
undisclosed vulnerability. If the answer is Yes, the report is NOT to be sent
to submit@bugs.debian.org but rather to team@security.debian.org.
Right now, the CGI will override the destination and publish the problem on the
BTS, which is probably a Bad idea™.

Additionnaly, there are a few other addresses that would be nice to support:

reportbug -kudos sends mail to:
  _package_ @packages.debian.org

If the security tag is present, reportbug will cc:
 Debian Security Team <team@security.debian.org>
 Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>

If the user sends additionnal information, report bug will send to
 Debian Bug Tracking System <nnnnnn@bugs.debian.org>
Right now the cgi will post to submit, and it might be catched by the BTS [1]
but it would be nice to support these addresses too.

The bugreport cc: option is only writing X-Debbugs-CC headers, so this is not
an issue.


How bad would it be to support all adresses matching *@*.debian.org in to: and
cc:, regarding spams?

My perl level is close to nil. Can anyone look into that?


[1] http://www.debian.org/Bugs/Developer#subjectscan
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debbugs developers <debian-debbugs@lists.debian.org>:
Bug#590269; Package debbugs. (Tue, 20 Aug 2013 18:06:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@donarmstrong.com>:
Extra info received and forwarded to list. Copy sent to Debbugs developers <debian-debbugs@lists.debian.org>. (Tue, 20 Aug 2013 18:06:10 GMT) Full text and rfc822 format available.

Message #63 received at 590269@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@donarmstrong.com>
To: Jean-Michel Vourgère <jmv_deb@nirgal.com>
Cc: 590269@bugs.debian.org, Stefano Zacchiroli <zack@debian.org>, Sandro Tosi <morph@debian.org>, Asheesh Laroia <asheesh@asheesh.org>
Subject: Re: create a web-based submission for use with reportbug and possibly everything
Date: Tue, 20 Aug 2013 11:03:57 -0700
On Tue, 20 Aug 2013, Jean-Michel Vourgère wrote:
> I'm writing a patch for reportbug, and I believe the cgi might need some minor
> tweaks:
> 
> If the bugreport is a security problem, reportbug asks whether it is an
> undisclosed vulnerability. If the answer is Yes, the report is NOT to be sent
> to submit@bugs.debian.org but rather to team@security.debian.org.
> Right now, the CGI will override the destination and publish the problem on the
> BTS, which is probably a Bad idea™.

In this case, reportbug should probably just ask people to e-mail
team@security.debian.org details instead of sending a bug report.

> Additionaly, there are a few other addresses that would be nice to
> support:
> 
> reportbug -kudos sends mail to:
>   _package_ @packages.debian.org

These aren't really necessary.
 
> If the security tag is present, reportbug will cc:
>  Debian Security Team <team@security.debian.org>
>  Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>

These should be X-Debbugs-Cc:.

> If the user sends additionnal information, report bug will send to
>  Debian Bug Tracking System <nnnnnn@bugs.debian.org>
> Right now the cgi will post to submit, and it might be catched by the BTS [1]
> but it would be nice to support these addresses too.

The BTS will catch these, but accepting messages to a bug would also be
allowable.
 
> How bad would it be to support all adresses matching *@*.debian.org in
> to: and cc:, regarding spams?

If it's not talking directly to the BTS, I basically don't want to
support it in the BTS.

I suspect that allowing the destination to be given as
destination=(nnnnn|submit|control) with a default to submit would be
sufficient.

I'm also concerned about allowing through bugs/messages which do not
correspond to a working e-mail address... so it's possible that I will
implement the CGI with some sort of cache coupled with a response.

-- 
Don Armstrong                      http://www.donarmstrong.com

America was far better suited to be the World's Movie Star. The
world's tequila-addled pro-league bowler. The world's acerbic bi-polar
stand-up comedian. Anything but a somber and tedious nation of
socially responsible centurions.
 -- Bruce Sterling, _Distraction_ p122



Information forwarded to debian-bugs-dist@lists.debian.org, Debbugs developers <debian-debbugs@lists.debian.org>:
Bug#590269; Package debbugs. (Fri, 23 Aug 2013 17:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debbugs developers <debian-debbugs@lists.debian.org>. (Fri, 23 Aug 2013 17:03:04 GMT) Full text and rfc822 format available.

Message #68 received at 590269@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 590269@bugs.debian.org
Cc: team@security.debian.org, Don Armstrong <don@donarmstrong.com>
Subject: Re: create a web-based submission for use with reportbug and possibly everything
Date: Fri, 23 Aug 2013 17:52:53 +0100
On 2013-08-23 15:07, Jean-Michel Vourgère wrote:
> Alternatively, we could try to bribe Don to have a 
> security@bugs.debian.org
> alias for you to use. I have no idea how (in)secure bugs.debian.org is. 
> I
> suppose GnuPG is not an option since the recipient is a team.

There is a team GnuPG key:

http://www.debian.org/security/faq#contact

which would alleviate snooping concerns.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits



Information forwarded to debian-bugs-dist@lists.debian.org, Debbugs developers <debian-debbugs@lists.debian.org>:
Bug#590269; Package debbugs. (Thu, 29 Aug 2013 08:27:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Debbugs developers <debian-debbugs@lists.debian.org>. (Thu, 29 Aug 2013 08:27:14 GMT) Full text and rfc822 format available.

Message #73 received at 590269@bugs.debian.org (full text, mbox):

From: Stefano Zacchiroli <zack@debian.org>
To: Jean-Michel Vourgère <jmv_deb@nirgal.com>
Cc: 590269@bugs.debian.org, Don Armstrong <don@debian.org>, Sandro Tosi <morph@debian.org>, Asheesh Laroia <asheesh@asheesh.org>
Subject: Re: create a web-based submission for use with reportbug and possibly everything
Date: Thu, 29 Aug 2013 11:26:33 +0300
[Message part 1 (text/plain, inline)]
On Tue, Aug 20, 2013 at 03:03:27PM +0000, Jean-Michel Vourgère wrote:
> I'm writing a patch for reportbug, and I believe the cgi might need
> some minor tweaks:

Heya, thanks a lot for working on the reportbug part of this!

Executive summary: feel free (you, or anyone else interested in Perl
hacking) to change the CGI script as you see fit. I really care about
offering users the ability to use HTTP as a transport, possibly as the
*default* transport, for bug reports because I'm convinced that SMTP is
a real blocker for many users.  But I don't think I'll be hacking again
on this CGI in the near future; if it's easier for you, feel even free
to rewrite in something non-Perl-ish.

Either way, coordinating with Don to have something he'll be happy to
integrate in debbugs proper seems like the best way forward (and maybe
that means sticking to Perl? dunno...).

Thanks for your interest in this, I really appreciate!
Cheers.
-- 
Stefano Zacchiroli  . . . . . . .  zack@upsilon.cc . . . . o . . . o . o
Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o
Former Debian Project Leader  . . @zack on identi.ca . . o o o . . . o .
« the first rule of tautology club is the first rule of tautology club »
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 21:35:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.