Re: [webpayments] Please enable issues to be reflected on the mailing list (#9)

There is now a bot Github user (https://github.com/webpayments/ <https://github.com/webpayments/>) with the email address github-w3c-webpayments-wg@w3.org <mailto:github-w3c-webpayments-wg@w3.org>
Correct.

That email account is subscribed to the WG mailing list and is also subscribed to all Github issue notifications on the repo: https://github.com/w3c/webpayments <https://github.com/w3c/webpayments>
It is also subscribed to:

https://github.com/WICG/web-payments-browser-api <https://github.com/WICG/web-payments-browser-api>
https://github.com/WICG/paymentrequest <https://github.com/WICG/paymentrequest>
https://github.com/web-payments/web-payments-messaging/ <https://github.com/web-payments/web-payments-messaging/>
https://github.com/web-payments/web-payments-http-api <https://github.com/web-payments/web-payments-http-api>
and anything else the group deems appropriate as time goes on. Adding a new "watch" is as simple as logging in as the 'webpayments' user and "Watch"ing the repo (clicking a button).

When that account receives mails from Github it forwards them to the mailing list.
Correct.

When the account receives replies from the mailing list it forwards them to Github.
Technically, when people hit "Reply", they'll reply to the Github issue (via Github's mail server), which will then archive the email in the issue and send the response to the issue out to the mailing list.

Note that is is a feature that the standard W3C solution DOES NOT have. People w/o access to Github cannot participate in discussion.

The result (once all moderation issues have been resolved) will be that:

If a new issue is logged or a comment is added to an existing issue then a mail will be sent to the mailing list
Anyone replying to mails on the mailing list related to issues will see their replies posted against the Github issue.
Correct.

We still recommend that members of the WG post their comments and issues
directly on Github if possible as this has the least chance of creating
SPAM, messing with formatting or sending out duplicate messages.

Correct.

Are there any outstanding security concerns:

Is it possible to compromise the Github account of the bot?
That would be highly unlikely.

We have two factor authentication turned on. So, an attacker would have to know the password on the account, steal one of the 'webpayments' admin's phones (Doug and myself right now, the chairs and W3C staff as soon as we can get you guys setup), and then figure out their password to unlock the phone.

Is it possible to post to Github "anonymously"?
No, but it's very easy to get a Github account using a fake email address and spam any issue on Github. It's also easy to subscribe to the mailing list and "Reply To" pseudo-anonymously. The easier attack is signing up for a Github account.

Are we certain that no email sent to the members-only mailing list will end up on Github?
The members-only mailing list isn't setup at all to reflect issues to Github. The only way this could happen is if someone sent an email to members-only and cc'ed the public mailing list as well (which would kinda defeat the purpose of sending a members-only mail).

Thanks for making this work. If it's as seamless as it appears it should be
then I think it will be a great way to use Guthub and still accommodate
those that like to (or have to) use the mailing list.

I think the solution meets all of the requirements we have and doesn't enable any kind of attack we can't control via the issue tracker. In the very worst case, we can shut down the spam and put a new (more restrictive) solution in place.

—
Reply to this email directly or view it on GitHub <https://github.com/w3c/webpayments/issues/9#issuecomment-157147357>.

Received on Monday, 16 November 2015 19:44:18 UTC