Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-project

From: "William L. Thomson Jr." <wlt-ml@××××××.com>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] Spoofing on list -> Infra response re SPF
Date: Mon, 05 Dec 2016 21:07:42
Message-Id: assp.0147c3357b.2809094.gQIv6DqXIg@wlt
In Reply to: Re: [gentoo-project] Spoofing on list -> Infra response re SPF by Kent Fredric
1 On Tuesday, December 6, 2016 9:52:02 AM EST Kent Fredric wrote:
2 > On Mon, 05 Dec 2016 15:22:15 -0500
3 >
4 > "William L. Thomson Jr." <wlt-ml@××××××.com> wrote:
5 > > I was meaning for anyone with @gentoo.org. Like commits must be signed.
6 > > Its one thing to spoof another list member. No outsider should be able to
7 > > pose as an @gentoo.org address.
8 >
9 > But that means you have to require signing when the from is @gentoo.org ,
10 > but not otherwise.
11
12 Can you think of a reason to not sign an email from @gentoo.org? Would that
13 not be the same as not signing a commit?
14
15 I really believe this was required in the past. I had serious issues with GPG
16 signing with Evolution and Seahorse. Robin/robbat2 got involved as team lead
17 to mediate a conflict. One that NEVER made it to comrel since the proper
18 resolution mechanisms were in place and worked flawlessly!!!! I even had
19 serious culture differences with dude...
20
21 The only reason I was messing with GPG and emails was it was required. At
22 least I was under that impression. Not sure when that changed.
23
24 > Which means @gentoo.org can still spoof @example.org :)
25
26 That is more of a concern to @example.org than Gentoo. Though something should
27 be in place to not allow spoofing all around. IMHO
28
29 > I'm not really complaining here, I just don't think it would be consistent,
30 > only a double standard.
31
32 I do hate double standards :)
33
34 I would not be against requiring everyone to sign. Though given that MTA's
35 allow you to sign emails from others. Not sure it will help.
36
37 I filed a bug with kmail on that.
38
39 Verify GPG key emails when signing an email
40 https://bugs.kde.org/show_bug.cgi?id=373314
41
42 And one that allowed me to spoof in the first place...
43
44 Make From field in the composer read only
45 https://bugs.kde.org/show_bug.cgi?id=373313
46
47 --
48 William L. Thomson Jr.

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-project] Spoofing on list -> Infra response re SPF Kent Fredric <kentnl@g.o>
Report Message
Find on MARC Find on Google Groups