GNOME Bugzilla – Bug 351489
allows people to send bugs using another's email address
Last modified: 2018-07-16 08:24:52 UTC
For example bug 351488 which I filed using reinouts bugzilla email address. This allows people to file bugs which will appear as if *I* filed them, potentially including embarassing or harassing material. IMHO this is a blocker.
We had a lot of discussion about allowing anonymous/non-registered users submit bugs to bugzilla. The problem is currently the only way to validate email address would be using the bugzilla password, and that would force us to ask users to register. In the other hand this is not new at all. Previous bug-buddy versions also asked for an email address and anyone could just fake it. We can add a disclaimer for the bugs coming from the XML-RPC interface saying that "this user is not validated" or something like that.
I understand that the problem with registering is that it will put off users from submitting bug reports. In case the submitted email address has no bugzilla account a warning that the hasbug shouldn't be assumed to have originated with the owner of that email address might be enough (but what happens when the real owner later wants to open a real account?). But I think in case the email address already corresponds to a bugzilla account, the bug report must be authenticated by requiring the corresponding password.
Current freeze break proposal: http://mail.gnome.org/archives/release-team/2006-August/msg00170.html Basically the idea is requiring an account before bug submissions will be accepted. If the user doesn't have an account, a token will be mailed to the user and bug-buddy will store the submission so that it can be transmitted later. This is not ideal, but very likely how upstream Bugzilla will work. For Bugzilla 3.0 it will hopefully be only a code change to make it work (nothing noticable to the user -- hopefully). Maybe Bug-Buddy should be able to have some kind of 'retransmit' button (so the user can create the account, then switch back to bug-buddy), however it could be that Evolution/Epiphany crashed. This causes one difficulty.. how will the user be able to transmt the crashers again? Step 1 has been completed.. eg. bgo now allows do send a token to create an account. After that the XML-RPC function needs to check the password (currently it will only do this for the newer client, although I will change that some time after the 2.16.0 release), plus send a token (more difficult). The token needs to store the password as well, but this is not yet possible.
Lowering severity since this is not a new issue.
bug-buddy is not under active development anymore and had its last code changes many years ago. Its codebase has been archived: https://gitlab.gnome.org/Archive/bug-buddy/commits/master Closing this report as WONTFIX as part of Bugzilla Housekeeping to reflect reality (see bug 796784). Please feel free to reopen this ticket (or rather transfer the project to GNOME Gitlab, as GNOME Bugzilla is deprecated) if anyone takes the responsibility for active development again.