#43 Lack of confirmation of emails

[Anonymous]

Sourceforge's bug tracking system allows someone to put
in another
person's email address to be notified when the bug is
commented on/resolved
but does not confirm an address prior to allowing it to
receive email
updates (quotes from email meant to go to SPAM-L):

<marcmerlin> Do we have to allow unauthenticated users
to enter an Email to monitor a bug?
<moorman> yes
<moorman> they have no other means to obtain bug
information once it is posted at this time
<marcmerlin> (i.e. can't we require them to be logged
in if they want mail updates?)
<moorman> it's not even a matter of updates
<marcmerlin> Ah, I thought they'd be able to just
bookmark the bug page and go back there
<moorman> when posting a tracker item, the user is not
provided with the number of the item they generate via
the web interface
<marcmerlin> Got it.
<moorman> they would either need to wade through the
other anonymous tickets, or read the e-mail we send
them

This opens up vulnerabilities for misuse via spamming
and other
unwanted email, especially if a project is not quick
enough on dealing with
misused bug comments - although it could also be used
for a (mild degree) of
mail bombing by simply signing someone up for as many
bug-tracking
addresses as possible. I'm also wondering about whether
the facility to
upload/attach a file could be misused to transmit a
mail bomb, virus/worm,
etcetera, but am not sufficiently familiar with the
sourceforge system to
know how much of a (potential) problem this is.

I suggest the solution on this is to give anyone who
isn't logged in a
URL to check for further comments on the bug in
question.