Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650964 - gentoo-dev ML: Implement council decision on user whitelisting
Summary: gentoo-dev ML: Implement council decision on user whitelisting
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Mailing Lists (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-20 08:47 UTC by Kristian Fiskerstrand
Modified: 2019-08-01 19:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2018-03-20 08:47:51 UTC
In the Council meeting 10th of December 2017 it was determined that the gentoo-dev mailing list is to be restricted for posting for gentoo devs and users that have been whitelisted and monitored by gentoo devs. The whitelisting is tracked in bug 644070 similar to editbugs.

I request that infra implementes posting restrictions according to these criteria.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2018-03-20 11:20:53 UTC
Counterproposal: Council admits it made a mistake and reverts a decision that is contrary to the spirit of open communities.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2018-03-20 11:33:26 UTC
(In reply to Michael Palimaka (kensington) from comment #1)
> Counterproposal: Council admits it made a mistake and reverts a decision
> that is contrary to the spirit of open communities.

I refer you to 20180211 summary;

Mailing list posting restrictions
=================================
The council discussed several options, like lifting the restrictions
entirely, using moderation, or blacklisting instead of a whitelisting.
Finally, the previous decisions were confirmed. K_F volunteered to
liaise with infra for implementation.

- Vote: The council confirms its decisions taken in the 20171210
  meeting about mailing list restrictions.
  Accepted with 4 yes votes, 1 no vote, and 2 abstentions.
Comment 3 Michael Palimaka (kensington) gentoo-dev 2018-03-20 11:37:19 UTC
(In reply to Kristian Fiskerstrand from comment #2)
> (In reply to Michael Palimaka (kensington) from comment #1)
> > Counterproposal: Council admits it made a mistake and reverts a decision
> > that is contrary to the spirit of open communities.
> 
> I refer you to 20180211 summary;
> 
> Mailing list posting restrictions
> =================================
> The council discussed several options, like lifting the restrictions
> entirely, using moderation, or blacklisting instead of a whitelisting.
> Finally, the previous decisions were confirmed. K_F volunteered to
> liaise with infra for implementation.
> 
> - Vote: The council confirms its decisions taken in the 20171210
>   meeting about mailing list restrictions.
>   Accepted with 4 yes votes, 1 no vote, and 2 abstentions.

I refer you to comment #1.
Comment 4 R030t1 2018-03-21 15:57:40 UTC
It was mentioned on the mailing list this should have been discussed months ago, yet many people did come out against this decision and were ignored.
Comment 5 Matthias Maier gentoo-dev 2018-03-21 17:21:51 UTC
Restricting bugs to developer-only for now to avoid the flame-fest on the mailing list swapping over to the bug tracker.

This is merely about the technical implementation of the council decision.
Comment 6 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2018-03-21 17:24:21 UTC
Where is the proper outlet for these frustrations then?  Not giving an outlet is just asking for problems.
Comment 7 Kristian Fiskerstrand gentoo-dev Security 2018-03-21 19:19:59 UTC
I'm lifting the restriction as I don't see a need for this bug to be locked, but I would remind people that this is a place to discuss the technical implementation of a council decision, not the decision itself.
Comment 8 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2018-03-21 19:53:13 UTC
(In reply to Kristian Fiskerstrand from comment #7)
> I'm lifting the restriction as I don't see a need for this bug to be locked,
> but I would remind people that this is a place to discuss the technical
> implementation of a council decision, not the decision itself.

As discussed on #gentoo-council I think we advocated for a thread on gentoo-project ML if further discussions are needed.
Comment 9 Arfrever Frehtes Taifersar Arahesis 2018-03-25 01:38:19 UTC
(In reply to Kristian Fiskerstrand from comment #0)
> In the Council meeting 10th of December 2017 it was determined that the
> gentoo-dev mailing list is to be restricted for posting for gentoo devs and
> users that have been whitelisted and monitored by gentoo devs. The
> whitelisting is tracked in bug 644070


I have one technical suggestion.

Keeping list of whitelisted users in a bug looks like a poor technical design.

Therefore I suggest that this list be maintained in a human-readable, machine-parseable file (e.g. JSON or CSV) in a repository writable by all Gentoo developers. This file would be parsed by some part of mailing list software.
Comment 10 Arfrever Frehtes Taifersar Arahesis 2018-03-25 03:22:34 UTC
And to reduce spam, the list of whitelisted users (regardless of where it is maintained) should not be readable for unauthenticated people.
Comment 11 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2018-04-09 13:18:02 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #10)
> And to reduce spam, the list of whitelisted users (regardless of where it is
> maintained) should not be readable for unauthenticated people.

ACk, we have a list of addresses in a git repo that devs can RW, but no one (externally) can read. Note that I expect this git repo to be leaked by grumpy developers (many whom have RW access to the whitelist.)

There is a challenge with mail deny messages (where a subscriber tries to send a message and is denied) because we will send them a denial. This is used by spammers to send backscatter spam.

Its possible its only really bad when anyone can post (so anyone can get the mail) as opposed to only issues denials to subscribers. Will think about this more.

-A
Comment 12 Matthias Maier gentoo-dev 2018-04-09 18:18:27 UTC
(In reply to Alec Warner from comment #11)
> ACk, we have a list of addresses in a git repo that devs can RW, but no one
> (externally) can read. [...]

Thanks a lot for your work on that!
Comment 13 Kristian Fiskerstrand gentoo-dev Security 2018-04-29 17:34:29 UTC
Can you please provide a status update on this including an ETA for implementation?
Comment 14 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2018-05-01 01:12:49 UTC
(In reply to Kristian Fiskerstrand from comment #13)
> Can you please provide a status update on this including an ETA for
> implementation?

I sent mail to council and infra with a draft email for the -dev list to discuss initial whitelist population.

-A
Comment 15 Sergei Trofimovich gentoo-dev 2018-05-13 18:34:36 UTC
Asking for an update (bug popped up in council monthly meeting).

Thanks!
Comment 16 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2018-05-13 18:58:11 UTC
(In reply to Sergei Trofimovich from comment #15)
> Asking for an update (bug popped up in council monthly meeting).
> 
> Thanks!

I sent my (now reviewed) draft to the -dev list. We will allow some time for the whitelist to be populated and then move to enforcement, probably in two weeks (mostly due to upcoming vacation for me.)

-A
Comment 17 Sergei Trofimovich gentoo-dev 2018-06-10 18:33:09 UTC
Asking for an update (bug popped up in council monthly meeting).

Thanks!
Comment 18 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2018-06-10 19:21:17 UTC
(In reply to Sergei Trofimovich from comment #17)
> Asking for an update (bug popped up in council monthly meeting).
> 
> Thanks!

Its enabled now. Enjoy!

-A
Comment 19 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-06-10 19:50:05 UTC
Could we please indicate this somehow on:

1. https://www.gentoo.org/get-involved/mailing-lists/
2. https://www.gentoo.org/get-involved/mailing-lists/all-lists.html

?  It seems really silly to have 'post to X' links when 'external' people clearly can't post to list.
Comment 20 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2018-06-10 20:00:42 UTC
(In reply to Michał Górny from comment #19)
> Could we please indicate this somehow on:
> 
> 1. https://www.gentoo.org/get-involved/mailing-lists/
> 2. https://www.gentoo.org/get-involved/mailing-lists/all-lists.html
> 
> ?  It seems really silly to have 'post to X' links when 'external' people
> clearly can't post to list.

Marked moderated in mailinglists.yaml in 6234b92a4b93b3fa6895363f700b427124c2b165.

-A