Copy: debian-project@lists.debian.org

Antonio Russo wrote:

As someone who would like to participate more in the development of Debian, my personal experience is that making contributions is like dropping a message in a bottle into the sea. It feels like a complete crap-shot
whether I'll even receive a comment on any code contribution (including debian-devel RFS, salsa MR, or BTS patch).

For salsa and BTS, one reason for lack of reply can be that the maintainer is never notified. I get surprised sometimes that salsa has merge requests waiting for me. I suspect that either the email notification is broken or off by default and I never saw instructions to enable it.

In the case of the BTS: it used to email me but that broke a couple years ago and apparently it is hard to fix. So currently a class of us don't get email from any bug reports.

My suggestion, therefore, is: if the patch is important to you, do also CC directly the maintainer address.

-Steve

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEy89k8fa3rclNjyokyeVeL63I9LkFAmWPKaEACgkQyeVeL63I 9Lk3Xw//R3Hr0KeeYySnps9v49i0F0qN1z8ibSu7eF64CeFsZOTEPk6wComY3iBl VIvxzGgb5GBWpi/+kgPTCcx+XohJh0BNkPwWEFXk/imbCrRUjiVznGzOuwjzChBy bfXpRfFP2OdY4tNiD+cwWVGmd7GR3VS9UvM4qNgb7EuWFgVPUdAczfM8l6v6vqIg qGRNJPb2eb8p6ZFdCiDVGfpgA/9KF6RavSfA3AToi3nAP41pyitwHslB9AD6eKuv RCgf+DHrlBPlfgUA1u5+H8SWHLejVXXjep6FG1QakL8sWqQXKxJ3kBCB9vJZ2n3v cLdow1ytN+30kmsA3kEklztzmEBJ/B/V6dFu3r53sJXBYTvdBJdfXe3BMYQADgnB nSogWAMQdMaQG9n2IMQ1HoBM3SVoVmSYiP/oPKR4vgIdN7Xl7RIbICjTo9qLsBKO cQht7GIQ8boB3goNIO+M9wu04KOiui6k84xJd0xbHi7SOCpjJeRDSwDgIa4FLy+0 x0Sf+RGq3CAZ31OSKiYTYsyZG6YEVBzi7ZopndmfEVHnS2iQulUKqB54epvKBDSu SUqApNEe7mi+lr2DQ/SDqSAraBRMBm9sJ5QLejY6i7oiA3zfaGLJK5hw3FZEb2ZR 4YannXxXW8M0HDUHdE1EyOp9sWKjtBewtlkT0CFcQUQ5PHXusxI=
=1Sau
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Dec 29, 2023 at 02:18:41PM -0600, Steven Robbins wrote:

Antonio Russo wrote:

As someone who would like to participate more in the development of Debian, my personal experience is that making contributions is like dropping a message in a bottle into the sea. It feels like a complete crap-shot whether I'll even receive a comment on any code contribution (including debian-devel RFS, salsa MR, or BTS patch).

For salsa and BTS, one reason for lack of reply can be that the maintainer is never notified. I get surprised sometimes that salsa has merge requests waiting for me. I suspect that either the email notification is broken or off
by default and I never saw instructions to enable it.

It is off by default unless that was changed recently-ish.

In the case of the BTS: it used to email me but that broke a couple years ago and apparently it is hard to fix. So currently a class of us don't get email from any bug reports.

What is that class?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, December 29, 2023 2:18:41 P.M. CST Steven Robbins wrote:

In the case of the BTS: it used to email me but that broke a couple years
ago and apparently it is hard to fix. So currently a class of us don't get email from any bug reports.

Andrey Rakhmatullin asked "what is that class?".

It's unclear to me. From the last discussion [1], it seems like it should be everyone. Maybe it is everyone whose mail infrastructure looks at DMARC [2]?

I think S�bastien Noel's 2021 note to the bug report is germane to this discussion:

"""
Same observation here:
DMARC aggregate reports notifies me that emails sends to the BTS
are not delivered to the final recipient.

I should not be surprised anymore if bugreports are left un-answered, maintainers are simply not getting notification...

Since the last comment of this bug, 4 months have passed and no
reaction.
I suspect that nobody recieved the last email, and my guts tell me
that i'm writing to /dev/null rigth now :(

Without a working BTS, i'm wondering :
Is the project still interested by users' feedback ?
"""


[1] https://lists.debian.org/debian-devel/2022/09/msg00273.html
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754809


-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEy89k8fa3rclNjyokyeVeL63I9LkFAmWUUCIACgkQyeVeL63I 9LkdEQ//Wmf6uHmTy6sYeDgSitDEcAsSMp2NGZGx4OeIZiGeS3oiPGD1kUVz3s5P KjiJX+b9lzcPlMGlmfJZe0mY0kg7bA79fFAooO1xNlg+eu6DPs7sXsw8Exf9ni6o neUW40O+hxkuRygby7Nz6s4Fg7ZKOKyloHqE7yE6lbQ6jMKGzctdsg6CKxHHqHJv 3lhX1Sy4n/7K3OOGs3OUIiATuB6whErbhCDcvxN2szBpl1z0kavTahChjAdPtdxA jIBD0mME0oBNULBaIoxw9ncPj83gX8k3FvXd6NVcZXatduvDqzFvMKjojGj6uV8b MhHY3YC1j1m3YUWmuVs0g6UGshgJbxWux+dT3dJ2/Ey4WrcfhYcQAUEXseN+GOq1 5HNW5x7eG7xofZ7rTzDSx8a3Cmx6CDWmUmkg8Er8L/Esg1FKcvt8mYMpNL/6waia 9Y1Zzjx/Top/gt2Us7KElSkQpljys9Kr3OV9vtznNXWO+LpkDCckC5ilWkJbscfD Fyjf52AVK2GEn3hQXzXhE4wMYQCVDkBzPtulnhIVMSnohFk5l0PCBAmw7KGEOKdm 4DPSqzEIK9A7O/5s/xb9X/6poSRRfh34EhCK8X1xW9let3T4HmctSu7w/PHMWiE9 oZTkdThCWnViHn6BrHUUX0uNjn3lGolDqh32dlt2kT+OIuHSRMU=
=q3WT
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On January 2, 2024 6:04:18 PM UTC, Steven Robbins <steve@sumost.ca> wrote:

On Friday, December 29, 2023 2:18:41 P.M. CST Steven Robbins wrote:

In the case of the BTS: it used to email me but that broke a couple years
ago and apparently it is hard to fix. So currently a class of us don't get >> email from any bug reports.

Andrey Rakhmatullin asked "what is that class?".

It's unclear to me. From the last discussion [1], it seems like it should be >everyone. Maybe it is everyone whose mail infrastructure looks at DMARC [2]?

I think Sébastien Noel's 2021 note to the bug report is germane to this >discussion:

"""
Same observation here:
DMARC aggregate reports notifies me that emails sends to the BTS
are not delivered to the final recipient.

I should not be surprised anymore if bugreports are left un-answered, >maintainers are simply not getting notification...

Since the last comment of this bug, 4 months have passed and no
reaction.
I suspect that nobody recieved the last email, and my guts tell me
that i'm writing to /dev/null rigth now :(

Without a working BTS, i'm wondering :
Is the project still interested by users' feedback ?
"""

[1] https://lists.debian.org/debian-devel/2022/09/msg00273.html
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754809

Alternatively, BTS users that are interested in others getting their emails might be better off posting from a domain that doesn't have a DMARC policy that's designed to be used for domains that send only transactional email (i.e. no human users). It's
working fine for me.

Scott K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Scott" == Scott Kitterman <debian@kitterman.com> writes:

Scott> Alternatively, BTS users that are interested in others
Scott> getting their emails might be better off posting from a
Scott> domain that doesn't have a DMARC policy that's designed to be
Scott> used for domains that send only transactional email (i.e. no
Scott> human users). It's working fine for me.

Would including a warning about the domain you are sending from be more tractable as an improvement than SRS-style header rewriting?
(This directed more at people who know the BTS code).

At least people could be warned that because of the domain they send
from their mail might not get through.

--Sam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

------IHBAULPCH4B8YNY22LZFV6663GBA38
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

By far most users in all likelihood do not know that something like even DMARC exists.

Do not discount them just because you know and can act accordingly.

Cheers
Mike


Am 2. Januar 2024 20:10:27 MEZ schrieb Scott Kitterman <debian@kitterman.com>:

On January 2, 2024 6:04:18 PM UTC, Steven Robbins <steve@sumost.ca> wrote: >>On Friday, December 29, 2023 2:18:41 P.M. CST Steven Robbins wrote:

In the case of the BTS: it used to email me but that broke a couple years >>> ago and apparently it is hard to fix. So currently a class of us don't get >>> email from any bug reports.

Andrey Rakhmatullin asked "what is that class?".

It's unclear to me. From the last discussion [1], it seems like it should be
everyone. Maybe it is everyone whose mail infrastructure looks at DMARC [2]? >>
I think Sébastien Noel's 2021 note to the bug report is germane to this >>discussion:

"""
Same observation here:
DMARC aggregate reports notifies me that emails sends to the BTS
are not delivered to the final recipient.

I should not be surprised anymore if bugreports are left un-answered, >>maintainers are simply not getting notification...

Since the last comment of this bug, 4 months have passed and no
reaction.
I suspect that nobody recieved the last email, and my guts tell me
that i'm writing to /dev/null rigth now :(

Without a working BTS, i'm wondering :
Is the project still interested by users' feedback ?
"""


[1] https://lists.debian.org/debian-devel/2022/09/msg00273.html
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754809

Alternatively, BTS users that are interested in others getting their emails might be better off posting from a domain that doesn't have a DMARC policy that's designed to be used for domains that send only transactional email (i.e. no human users). It's

working fine for me.

Scott K

------IHBAULPCH4B8YNY22LZFV6663GBA38
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div dir="auto">By far most users in all likelihood do not know that something like even DMARC exists.<br><br>Do not discount them just because you know and can act accordingly.<br><br>Cheers<br>    Mike<br></div><br><br><div
class="gmail_quote"><div dir="auto">Am 2. Januar 2024 20:10:27 MEZ schrieb Scott Kitterman &lt;debian@kitterman.com&gt;:</div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail"><div dir="auto"><br><br>On January 2, 2024 6:04:18 PM UTC, Steven Robbins &lt;steve@sumost.ca&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"><
div dir="auto">On Friday, December 29, 2023 2:18:41 P.M. CST Steven Robbins wrote:<br><br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;"><div dir="auto">In the case of the
BTS: it used to email me but that broke a couple years<br>ago and apparently it is hard to fix. So currently a class of us don't get<br>email from any bug reports.<br></div></blockquote><div dir="auto"><br>Andrey Rakhmatullin asked "what is that class?".
<br><br>It's unclear to me. From the last discussion [1], it seems like it should be <br>everyone. Maybe it is everyone whose mail infrastructure looks at DMARC [2]?<br><br>I think Sébastien Noel's 2021 note to the bug report is germane to this <br>
discussion:<br><br>"""<br>Same observation here:<br>DMARC aggregate reports notifies me that emails sends to the BTS<br>are not delivered to the final recipient.<br><br>I should not be surprised anymore if bugreports are left un-answered,<br>maintainers
are simply not getting notification...<br><br>Since the last comment of this bug, 4 months have passed and no <br>reaction.<br>I suspect that nobody recieved the last email, and my guts tell me<br>that i'm writing to /dev/null rigth now :(<br><br>Without
a working BTS, i'm wondering :<br>Is the project still interested by users' feedback ?<br>"""<br><br><br>[1] <a href="https://lists.debian.org/debian-devel/2022/09/msg00273.html">https://lists.debian.org/debian-devel/2022/09/msg00273.html</a><br>[2] <a
href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754809">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754809</a><br><br></div></blockquote><div dir="auto"><br>Alternatively, BTS users that are interested in others getting their emails might
be better off posting from a domain that doesn't have a DMARC policy that's designed to be used for domains that send only transactional email (i.e. no human users). It's working fine for me.<br><br>Scott K<br><br></div></pre></blockquote></div></body></
html>
------IHBAULPCH4B8YNY22LZFV6663GBA38--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I agree. I do, however, think it's at least as reasonable to assign blame for DMARC breaking all sorts of traditional email usage on users that use domains with restrictive DMARC policies as it is to blame the BTS.

If someone wants to change the Debian BTS to be more DMARC friendly, then they should probably work with the BTS maintainers to implement it. Inferring that the lack of progress is indicative of not wanting feedback is nonsense.

In the meantime, users who want to successfully interact with the BTS have options (use a different email provider). BTS works fine with non-broken email systems.

Scott K

On January 3, 2024 4:31:58 AM UTC, Michael Neuffer <neuffer@neuffer.com> wrote: >By far most users in all likelihood do not know that something like even DMARC exists.

Do not discount them just because you know and can act accordingly.

Cheers
Mike

Am 2. Januar 2024 20:10:27 MEZ schrieb Scott Kitterman <debian@kitterman.com>: >>

On January 2, 2024 6:04:18 PM UTC, Steven Robbins <steve@sumost.ca> wrote: >>>On Friday, December 29, 2023 2:18:41 P.M. CST Steven Robbins wrote:

In the case of the BTS: it used to email me but that broke a couple years >>>> ago and apparently it is hard to fix. So currently a class of us don't get
email from any bug reports.

Andrey Rakhmatullin asked "what is that class?".

It's unclear to me. From the last discussion [1], it seems like it should be
everyone. Maybe it is everyone whose mail infrastructure looks at DMARC [2]?

I think Sébastien Noel's 2021 note to the bug report is germane to this >>>discussion:

"""
Same observation here:
DMARC aggregate reports notifies me that emails sends to the BTS
are not delivered to the final recipient.

I should not be surprised anymore if bugreports are left un-answered, >>>maintainers are simply not getting notification...

Since the last comment of this bug, 4 months have passed and no >>>reaction.
I suspect that nobody recieved the last email, and my guts tell me
that i'm writing to /dev/null rigth now :(

Without a working BTS, i'm wondering :
Is the project still interested by users' feedback ?
"""


[1] https://lists.debian.org/debian-devel/2022/09/msg00273.html
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754809

Alternatively, BTS users that are interested in others getting their emails might be better off posting from a domain that doesn't have a DMARC policy that's designed to be used for domains that send only transactional email (i.e. no human users). It'

s working fine for me.

Scott K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On January 3, 2024 2:55:35 AM UTC, Sam Hartman <hartmans@debian.org> wrote: >>>>>> "Scott" == Scott Kitterman <debian@kitterman.com> writes:

Scott> Alternatively, BTS users that are interested in others
Scott> getting their emails might be better off posting from a
Scott> domain that doesn't have a DMARC policy that's designed to be
Scott> used for domains that send only transactional email (i.e. no
Scott> human users). It's working fine for me.

Would including a warning about the domain you are sending from be more >tractable as an improvement than SRS-style header rewriting?
(This directed more at people who know the BTS code).

At least people could be warned that because of the domain they send
from their mail might not get through.

My guess is that such a warning email (which is the only way we'd have to do it) would also cause a lot of complaints. Ultimately, I think we (for some value of we that doesn't include me doing the work) will need to have the BTS send all emails from
bugs.debian.org role addresses and not use the sender's email in From anymore.

Scott K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 03, 2024 at 05:10:43PM +0000, Scott Kitterman wrote:

My guess is that such a warning email (which is the only way we'd have
to do it) would also cause a lot of complaints. Ultimately, I think
we (for some value of we that doesn't include me doing the work) will
need to have the BTS send all emails from bugs.debian.org role
addresses and not use the sender's email in From anymore.

Yeah, this is what we ended up doing in Launchpad for similar reasons in
2020: mail from bug #NNNNNNN resulting from an action by a user whose
display name is "Some User" is sent with "From: Some User <NNNNNNN@bugs.launchpad.net>". The switch was a bit nerve-wracking, but
it largely seems to be working OK there and I think is basically the
only way to make things work reliably in the modern email environment.

That said, debbugs has much higher expectations of everything being done through email than Launchpad does, so it'd need some care to make sure
that e.g. From/Reply-To are exactly right in all cases, and it's quite
likely that people would be somewhat discombobulated by the change. It
would make it harder to take a BTS conversation to private email, for
instance (but perhaps that's a good thing since new users often end up
doing this by accident?), and we'd have to think about how it interacted
with things like X-Debbugs-Cc to mailing lists.

[Disclaimer: I no longer work on Launchpad, and although I should still
have permissions to work on debbugs it's been a long time since I
actually did so. Maybe later this year ...]

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Scott,

On Wed, Jan 03, 2024 at 05:10:43PM +0000, Scott Kitterman wrote:

At least people could be warned that because of the domain they send
from their mail might not get through.

My guess is that such a warning email (which is the only way we'd have to
do it) would also cause a lot of complaints.

I think we [...] will need to have the BTS send all emails from bugs.debian.org role addresses and not use the sender's email in From anymore.

Just to make sure I understand the constraints: we can determine at sending time whether a particular domain is going to cause trouble or not, right?
If so could this rewrite scheme be applied only for recipients where it's absolutely necessary?

That way DDs, who are likeley to care more about their BTS email workflow
than the average user, don't have to deal with the negative consequences of
the address rewriting if they're already behind a polite mailserver.

Further if this discrimination is possible I wonder if it might not also be possible to accomodate the subset of BTS users who are behind broken mail providers but use sensible mail clients (mutt and such).

Specifically I think when you embedd an message/rfc822 part mutt allows me
to autoview the message inline, see the (pretty set) of headers, and reply
to this message instead of the "envelope".

So when BTS sees a broken domain it could generate the usual message with address rewriting applied, but also attach in an multipart/alternative the untouched version for this set of users to use.

Not sure that all works out, just a crazy idea,
--Daniel

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEV6G/FbT2+ZuJ7bKf05SBrh55rPcFAmWWxp0ACgkQ05SBrh55 rPegcA//UNJKwvKzPDt6I44wG1DytYBnlOYeoH3sLpqdB77T3qWE1NnWPZCmANL+ NYVlHCFG/FT2yoeSAz6CZsphMOC0d4mp1QQGuekihHh4YVFcYuNCghovNeHLGE6f kM7EiLIT68Yg0iQzA2P3Zk0xPfjiyhmVt4eLE7EtQNMHN+Ngz8GFAfuSd8E4SnwW /sXnqf8+cVzf4iVSDdnZLbr5GbCJn2s0rfXA1mglvtJ76PUQ9zivMOpwLD9PayK5 WCnJWjMxP70uF1kQhqhGg7PrtVag89oVjdjDmp589YqJ4K1mEDbh9MtSc/V06wI8 xhdpGm9JafVshA0KNAl61Eo3pROWFJxjVwh9/U85ay2kLkVkteR6RA5DgrqA7JNp BGPTZDXI6Nb3IjL+gedVwgQHs2BaZ5fHNyO82RLbq27OhgIiCqpRoOyZLX++VCN1 tjBeeo1zJ9/8xC82p/yoI2BaIX0CkhKYkD2jj3S4+5jnff0f45Ie+4VNXfPFz4Ie 7Y9LkKjHMYohzaZfmc5b4/zEIK7jpt46UWrPM8S4TuRnf4eXyC0gaBJXu3YM4hKF sALZ16TXcUNSqPTXb5hXlHDfarx+qaAtlVrXRdRzHqkiTs9YC9wdmtbhj/ADRZpd Nb1J7GOi6iaNtC0S6Ct3NTq80hGSSN6Ok45s9lNdDX2EzRODlWE=
=DUAH
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-04 15:54:28 +0100 (+0100), Daniel Gröber wrote:
[...]

Just to make sure I understand the constraints: we can determine
at sending time whether a particular domain is going to cause
trouble or not, right? If so could this rewrite scheme be applied
only for recipients where it's absolutely necessary?

[...]

Unfortunately no. It *used* to be a popular assumption that you
could look at the published DKIM/DMARC policies for a given address
and determine whether you can safely put them in the From header,
but that changed recently when Gmail decided to treat messages from
its own users more strictly than the policy it publishes for them in
DNS. And since Gmail does custom domain hosting too, you can't
simply limit the workaround to treating their well-known domain
specially. Given its popularity (near ubiquity) as a freemail
provider these days, telling users they'll have to get an address
somewhere else to interact with the BTS is unlikely to end well
either.
--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmWWyrhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCke1w//YfepYrC9ZpqI27ZRzqgwlLqy5RfIXEN2v8ALtwP3iAP8fMIuWSaLQV3Y H4jm01nDURKTNQwvFi0jNS/OqVT2ShhFBFlX05ZNUIQ1PSjbY2FlDvNVm6MYiwNt CDkvJOCVO9T+qxg6ZD2pTkmC5uEKJR1GHl57Rmzm8q6cXptlcJ8j9S0EFadHkxLl 0ZO93V11Lc6MkvfcHEBfjIdZV9Vf5olbq6dJrqMWhTxMSKfQxYf6Bsw1yaqjgq2p uE+o6dQqcVbgtENKjYTVshCYeu2Hx1xjBNIRe0XCbCRWe0Ra5v76rRx6kwaqC0Cf 93oWLG056km3AuUswrrS1PeePtcSSXaFeq/MYgr0dlS81k4kOhcSMmxaxgGLAC3D wXOrqcyOboTkM5pTsT6iVb66d02IHr8W1Mes2XIRPpE8Kzsf1WJJ8ZIHjPGGOC7d 0dOYMoGL6yqJ0kjjRcFPtnSlThe+ruuF2wyxbCBAihDR+xWl/aBsWzBLKxitlwhh su1Mw9MpXMWJogh/D35Oo5j1T4vSemYi8SW2ru8zdj2uwQb7sUMjKHTp+JjWRXFl cmsOqlan76Jkmn4nCuRNXuGcWcaOY3vnJ9Q6XW60scSXJlJZiyo8Wj+MlTEArmeP HAji7B/s2I5Q7HCwhk3vkqwM+IW25h/V39wGOUHa1nQ4mu5O1/Q=
=gVGX
-----END PGP SIGNATURE-----

--- SoupGate-Win32

On January 4, 2024 2:54:28 PM UTC, "Daniel Gröber" <dxld@darkboxed.org> wrote: >Hi Scott,

On Wed, Jan 03, 2024 at 05:10:43PM +0000, Scott Kitterman wrote:

At least people could be warned that because of the domain they send
from their mail might not get through.

My guess is that such a warning email (which is the only way we'd have to
do it) would also cause a lot of complaints.

I think we [...] will need to have the BTS send all emails from
bugs.debian.org role addresses and not use the sender's email in From
anymore.

Just to make sure I understand the constraints: we can determine at sending >time whether a particular domain is going to cause trouble or not, right?
If so could this rewrite scheme be applied only for recipients where it's >absolutely necessary?

That way DDs, who are likeley to care more about their BTS email workflow >than the average user, don't have to deal with the negative consequences of >the address rewriting if they're already behind a polite mailserver.

Further if this discrimination is possible I wonder if it might not also be >possible to accomodate the subset of BTS users who are behind broken mail >providers but use sensible mail clients (mutt and such).

Specifically I think when you embedd an message/rfc822 part mutt allows me
to autoview the message inline, see the (pretty set) of headers, and reply
to this message instead of the "envelope".

So when BTS sees a broken domain it could generate the usual message with >address rewriting applied, but also attach in an multipart/alternative the >untouched version for this set of users to use.

Not sure that all works out, just a crazy idea,
--Daniel

That's consistent with things I've seen proposed and implemented for mitigation of DMARC issues with mailing lists. I don't know if the multipart solution has ever been implemented. From/Mail From definitely have been.

If I were designing it, I would lean heavily on Colin Watson's experience with DMARC mitigation in Launchpad. I've done some consulting work in this area, but I have never implemented it.

Scott K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Jan 04, 2024 at 03:54:28PM +0100, Daniel Gröber wrote:

On Wed, Jan 03, 2024 at 05:10:43PM +0000, Scott Kitterman wrote:

At least people could be warned that because of the domain they send
from their mail might not get through.

My guess is that such a warning email (which is the only way we'd have to do it) would also cause a lot of complaints.

I think we [...] will need to have the BTS send all emails from bugs.debian.org role addresses and not use the sender's email in From anymore.

Just to make sure I understand the constraints: we can determine at sending time whether a particular domain is going to cause trouble or not, right?
If so could this rewrite scheme be applied only for recipients where it's absolutely necessary?

I haven't looked into this in a lot of detail, but my concern would be
that that would end up being flaky and confusing in practice. I think
people want the behaviour of the BTS to be easily predictable without
having to get an advanced degree in MTA debugging first.

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On January 4, 2024 3:15:29 PM UTC, Colin Watson <cjwatson@debian.org> wrote: >On Thu, Jan 04, 2024 at 03:54:28PM +0100, Daniel Gröber wrote:

On Wed, Jan 03, 2024 at 05:10:43PM +0000, Scott Kitterman wrote:

At least people could be warned that because of the domain they send
from their mail might not get through.

My guess is that such a warning email (which is the only way we'd have to >> > do it) would also cause a lot of complaints.

I think we [...] will need to have the BTS send all emails from
bugs.debian.org role addresses and not use the sender's email in From
anymore.

Just to make sure I understand the constraints: we can determine at sending >> time whether a particular domain is going to cause trouble or not, right?
If so could this rewrite scheme be applied only for recipients where it's
absolutely necessary?

I haven't looked into this in a lot of detail, but my concern would be
that that would end up being flaky and confusing in practice. I think
people want the behaviour of the BTS to be easily predictable without
having to get an advanced degree in MTA debugging first.

I agree that inconsistent behavior is concerning. IETF mailing lists selectively rewrite From based on domain DMARC and it seems to be mostly okay. It may be that the typical IETF participant knows more about email than the typical BTS user.

Personally, I worry more about the added complexity and maintainability. It's timely that this
Niklaus Wirth quote from 2008: A Brief History of Software Engineering by Niklaus Wirth showed up in my Mastodon feed yesterday:

“A primary effort must be education toward a sense of quality. Programmers must become engaged crusaders against home-made complexity. The cancerous growth of complexity is not a thing to be admired; it must be fought wherever possible.”

I think it's definitely possible to avoid this complexity, so we probably should.

Scott K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Jeremy,

On Thu, Jan 04, 2024 at 03:11:59PM +0000, Jeremy Stanley wrote:

On 2024-01-04 15:54:28 +0100 (+0100), Daniel Gröber wrote:

could this rewrite scheme be applied only for recipients where it's absolutely necessary?

Unfortunately no. It *used* to be a popular assumption that you could
look at the published DKIM/DMARC policies [...] but [...] Gmail decided
to treat messages from its own users more strictly than the policy it publishes for them in DNS. And since Gmail does custom domain hosting
too, you can't simply limit the workaround to treating their well-known domain specially. Given its popularity (near ubiquity) as a freemail
provider these days,

Any good reason we cannot look at the MX domain (or in the worst case) ASN associated with mailserver IP to special case particularly offensive implementations such as this if looking at the DMARC policy works in the average case?

telling users they'll have to get an address somewhere else to interact
with the BTS is unlikely to end well either.

That's certainly not something I'd advocate for. I want us to minimize the
PITA for the technically literate without sacrifising general usability.

--Daniel

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEV6G/FbT2+ZuJ7bKf05SBrh55rPcFAmWW1FcACgkQ05SBrh55 rPdOChAAlXX1e91eXmgTUgnGOSIfv/Z5GWEMLJRHMmbqTiTWoDRaMY7zAHQFXSvC GtiYzw8pkjfXekD9orihgtW01pg0+YbMlH247KeLfFxO6HlbA94pLNUWWq6nTxVL PL9YSl6m6y47CG2nI1RfvZsFyRcbs4cBpIctkTcsHZFpA3rdhROnZykZp9b45yTu Ir3vUFxG7EWpbWXjCO2PuteRO1uW+u+0nH6h59bQ6KQqL/FIeP7SHxuRdTrkNefG gkAAGsolqo3nl4+BdYNAj9VKv/C4PHutBzDX6lFNhTAQeoUhMFO/n1b/PC5V9IXN K+Sh0nZ34FBsQs8OHo0CX2resN06jLzQBXtOhuVvBmd3TLdbJ4jFbbLKl5rkE3pf aqAlL+fhAVM2qJUyCOQQ3Feh6T7ohNhYZSkudErE99MUJNIi3K3nIvoUaQFXpTD1 DbznSn9HosQgdifYd4IDBMLVtCtPgGV7LkcB6VvGW5vVW2flC/sK3RFFP8UONMje miKCwk70LzjH1WxKHe15/CmQwyPbmuzNJ6WSHBiKlzF8NYVGuNdocExfLqFkBZWt XKC083rT3khkcrPeBQSnCbGh+JOPC2bLyN4jQBdrO8d5jxga+Uptc/2m2iOK41E2 4rmt1lkHaZQoS5Jl2g8DRkleZt4azFGCtFxpaPsC0HvqFiLfabw=
=6zka
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Jan 04, 2024 at 04:52:58PM +0100, Daniel Gröber wrote:

That's certainly not something I'd advocate for. I want us to minimize the PITA for the technically literate without sacrifising general usability.

To be honest, I think that address rewriting might actually be part of improving usability of the BTS - but it would have to be done carefully
and with an eye to various other features that have evolved as
workarounds for the current situation. It may be that some other
changes need to happen first.

The original design had a collection of addresses for each bug, all of
which were filed in the system itself, and some of which are also sent
on to others. As seen on https://www.debian.org/Bugs/Developer:

* nnn@bugs.debian.org — such messages are also sent to the package
maintainer and forwarded to debian-bugs-dist, but not to the
submitter;
* nnn-submitter@bugs.debian.org — these are also sent to the submitter
and forwarded to debian-bugs-dist, but not to the package maintainer;
* nnn-maintonly@bugs.debian.org — these are only sent to the package
maintainer, not to the submitter or debian-bugs-dist;
* nnn-quiet@bugs.debian.org — these are only filed in the bug tracking
system (as are all the above), not sent to anyone else.

This has been a mostly functional but slightly problematic design for as
long as I've been involved with Debian. The classic problem is that
people email a followup to a bug to nnn@bugs and (without much thinking
about it) expect it to be seen by everyone who's interested in that bug.
But in fact this doesn't automatically go to the submitter, nor
necessarily to anyone else who's been involved in the discussion on the
bug.

In practice, if you're receiving the bug discussion by email, then you
can reply-all and it'll usually be more or less OK - but if the email
thread is at all non-linear then people may well end up being left out
by accident, people can easily forget to reply-all rather than just
reply, and it's not exactly obvious how to participate in this way if
you weren't already CCed. ("bts --mbox show nnn" exists and is OK for
experts, but it's not exactly obvious and probably only works with some
MUAs.)

At some point debbugs gained a "subscribe" feature: you can email nnn-subscribe@bugs to subscribe to a bug, or nnn-unsubscribe@bugs to unsubscribe, with a confirmation message in each case. So far so good,
though clunky. But submitters aren't auto-subscribed, and you can't
really tell who's subscribed so you have no way to know in advance if
your message is going to reach the right people. (The implementation is
also kind of weird: IIRC it's done via lists.debian.org, so even the BTS
itself doesn't really know who's going to get the message.) As a
result, while this helped with certain use cases, it didn't really solve
the problem above.

What I always thought would be a better model would be for each bug to
be a "nosy list" (the term comes from roundup, I think). That is, bugs
would have a list of addresses notified of changes, by default filing a
bug or sending a message to it would cause you to be added to the list,
and subscribing to or unsubscribing from any given bug would be easy.

Now, such a change would certainly require some people to adjust a bit,
and it would be easier if the BTS had an optional authenticated web
interface to allow you to (un)subscribe more easily. I'm not saying it
would be straightforward. But if things worked this way, then I think rewriting addresses to nnn@bugs would ultimately be less controversial -
it would be the most convenient default, as the address that's most
likely to reach everyone you probably want it to reach.

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-04 16:52:58 +0100 (+0100), Daniel Gröber wrote:
[...]

Any good reason we cannot look at the MX domain (or in the worst case) ASN associated with mailserver IP to special case particularly offensive implementations such as this if looking at the DMARC policy works in the average case?

[...]

Unfortunately not. An example I know of is Red Hat's corporate
E-mail, they use a third-party filter (Mimecast) as their MX which
then forwards to their custom domain on Gmail.

As a mailing list admin in some popular open source communities,
I've become all too familiar with these challenges. It doesn't help
that the situation changes month-to-month, so what you decide today
may suddenly stop working any moment and you're back to square one.

The cynic in me says that the mass freemail providers slipped these
policy frameworks in as a sort of Trojan Horse, promising to fix
"the spam problem" when their real goal was poisoning the well we're
all drinking from and then setting themselves up as the only safe
supply of drinking water. They're all too happy to propose standards
when they want other operators to do something, but then willfully
ignore those same standards whenever it suits their purposes.
--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmWW23lfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCltEA/7BMYK9FR0VcEizT4lpYiCiTLfXUNWZPYvY23uD7ynjIE7EYckhnBAIy6B Vp2JgYi714nfV8IP+d7a7d8aLXVbMrsfimplpk7pK59i+OWZIgt8Wf+xeuCGwerd fAhwqJg0Nj32OlL2/vraEPOnW3V9znRrzAP3/4e7QuJzhS/teUQoSJoWGfmLlbbT kk48DGvmivRGQGvUeAKUWRAxKwNVNYXiT9g25UlmVQ458gaFGt2vUEkWDcyfPe+3 qxSNcyWSJVed0sQGnHcPydq0VgeQsZccIOxxKsku2NY1lmNi0iVbVrFTsQIUeoMe zSPFL1oArs9UMHCF60zJXkw92vd/ngfb+C/yB8ioFYrL7XNGBEA1dDD4lMcbz1pu /x0dwi1tsEWkNRavus5VNXj9VddxPx3ppB1jyfMYJ1eGuUE+xHYPGuYiNZ1kL9Lr I+aTV7KIk0I5IPPZ+wuKcIc1m2+cuWkhZhW3pR3rOXSVBgoc9FwCAHODvEF54r5m md93PJFOyMg3kUIM9gesH/eRAGIuJSg31hL/pmeJIFfbBe90Sj2T9pJf8I19auZS W/7GWU8Gwdg/V0GpJ6QInjfKRn0StDqgGURz0i0iIU3uflGI6R/ea47ncwB7wBo4 u9J9wZg36a7lTCrMEvFm+xvjlmaqiJV6NzrOFqD9alA505nxbcs=
=DWMe
-----END PGP SIGNATURE-----

--- SoupGate-Win32