User: Password:
|
|
Subscribe / Log in / New account

Bug reports: information or spam?

Bug reports: information or spam?

Posted Apr 13, 2012 20:19 UTC (Fri) by josh (subscriber, #17465)
In reply to: Bug reports: information or spam? by wookey
Parent article: Bug reports: information or spam?

You definitely don't need to run a mail server to use reportbug. By default, reportbug configures itself to talk to reportbug.debian.org, which accepts mail for Debian bug reports (and nothing else). It also uses the submission port, which doesn't get blocked nearly as often as port 25.


(Log in to post comments)

Bug reports: information or spam?

Posted Apr 14, 2012 15:05 UTC (Sat) by zack (subscriber, #7062) [Link]

> It also uses the submission port, which doesn't get blocked nearly as often as port 25.

Right, but it is still more often blocked than http/https.

For that reason, I think that http submission for reportbug would be worthwhile, and that's why I've posted a while ago half a patch (the server-side half) for that at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590269#51

What is missing to deploy that is the client-side half, i.e. support in reportbug to deliver MIME bug report via HTTP. If some kind soul is willing to do that, I'll be happy to deploy the server-side half somewhere for testing. See the above URL for more information.

Cheers.

Bug reports: information or spam?

Posted Apr 14, 2012 23:41 UTC (Sat) by dlang (subscriber, #313) [Link]

but there are also many times when e-mail will work and http/https is blocked.

There is no one protocol that will always work, it's a good idea for the reporting tool to support several different protocols.

Bug reports: information or spam?

Posted Apr 14, 2012 23:54 UTC (Sat) by josh (subscriber, #17465) [Link]

I don't think it makes sense to make every tool that needs to communicate over a network support several different protocols to transmit the same information. Just make it support one reliable protocol, and provide tools (such as SSH tunnels, VPNs, and Tor) for people on intentionally broken networks to get a usable connection.

Bug reports: information or spam?

Posted Apr 15, 2012 0:07 UTC (Sun) by dlang (subscriber, #313) [Link]

the networks where e-mail is blocked are not likely to allow SSH tunnels, VPNs, or Tor connections out either.

We also aren't talking about making all programs that communicate talk multiple protocols, we are talking about a specific use-case, submitting bug reports. By definition, when you are submitting a bug report, something is broken. As such, you should support multiple ways to submit the bug so that you can work around whatever is broken.

Also, the networks in question are only "broken" if you think that every computer in existence should be able to talk freely to every other computer in existence. This model of reality disappeared (if it ever really existed) decades ago. Security and Access restrictions are not only just the reality, they are very desirable in many cases.

Bug reports: information or spam?

Posted Apr 15, 2012 1:11 UTC (Sun) by josh (subscriber, #17465) [Link]

> the networks where e-mail is blocked are not likely to allow SSH tunnels, VPNs, or Tor connections out either.

What makes a network that only allows outbound HTTP different than a network that only allows some obscure protocol outbound, or a network that allows no outbound access at all? Should reportbug support DNS-based transmission to get through networks that block HTTP?

> Also, the networks in question are only "broken" if you think that every computer in existence should be able to talk freely to every other computer in existence. This model of reality disappeared (if it ever really existed) decades ago. Security and Access restrictions are not only just the reality, they are very desirable in many cases.

Disallowing inbound access makes sense for security. Disallowing outbound access (with the *possible* exception of port 25 on networks with a pile of infected spam-sending systems that can't just be kicked off the network) makes a network broken.

Bug reports: information or spam?

Posted Apr 15, 2012 1:41 UTC (Sun) by dlang (subscriber, #313) [Link]

>> the networks where e-mail is blocked are not likely to allow SSH tunnels, VPNs, or Tor connections out either.

> What makes a network that only allows outbound HTTP different than a network that only allows some obscure protocol outbound, or a network that allows no outbound access at all? Should reportbug support DNS-based transmission to get through networks that block HTTP?

no, you should not implement DNS-based transmission, ping based transmission, or other weird new protocols.

But for a bug reporting tool, you should support the common data communication protocols.

> Disallowing inbound access makes sense for security. Disallowing outbound access (with the *possible* exception of port 25 on networks with a pile of infected spam-sending systems that can't just be kicked off the network) makes a network broken.

Here I (and most security people) just disagree with you. It all depends on the purpose of the network, if the network is not intended to talk to the Internet, creating the ability for it to talk directly to the Internet is a bad idea.

Bug reports: information or spam?

Posted Apr 15, 2012 3:31 UTC (Sun) by josh (subscriber, #17465) [Link]

> But for a bug reporting tool, you should support the common data communication protocols.

SMTP is pretty common. :)

(Note, by the way, that I'm not attempting to argue against the implementation of HTTP for other reasons; I just think "because there are networks that block SMTP" doesn't seem like a good enough reason.)

> Here I (and most security people) just disagree with you. It all depends on the purpose of the network, if the network is not intended to talk to the Internet, creating the ability for it to talk directly to the Internet is a bad idea.

On the contrary, I agree that air-gapped networks potentially make sense. If you want a restricted network with *no* outbound access, by all means have one. And if your network should not provide access to the Internet, don't try to report bugs from that network. :)

But don't create a network that allows *some* traffic out without allowing *all* traffic out; any sufficiently creative and annoyed developer who just wants to get work done will find a way to turn whatever traffic you do allow through into a real Internet connection, as will anyone trying to get malicious activity through.

Bug reports: information or spam?

Posted Apr 15, 2012 3:54 UTC (Sun) by dlang (subscriber, #313) [Link]

security isn't the practice of preventing all possible activities (turning the computer off and sealing it in a faraday cadge will do that), it's a matter of managing risk and slowing down the attacker long enough to catch and stop them.

a network that can do some things, but not all things is a very reasonable, and very common situation.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds