[tor-project] email interface for Trac: a proposal

Silvia [Hiro] hiro at torproject.org
Thu Dec 15 10:41:08 UTC 2016


Hi,

So I have a bare minimum prototype here:
https://gitweb.torproject.org/admin/trac/trac-email.git/tree/notify.py

But I have started thinking that maybe this shouldn't be a simple script
parsing emails. Maybe I am over-thinking this but I am seeing a need in
having a service that can perform basic cryptographic verification and
small integrations. I will list a few examples:

1. Trac email interface to open and reply to tickets.

2. Trac authentication for xmprpc (better than just http auth)

3. Encrypted mailing lists

What I am outlining here is a simple service where, for example, we can
send a signed request via REST APIs and perform some actions.

So for example 1 the service will check an email account and verify
signatures to open/reply to trac tickets.

For example 2 there will be an API endpoint where we can send a signed
request to interact with trac (better than http auth which is the
standard for xmlrpc plugin).

Example 3 involves people sending encrypted emails w/ the server key,
and the server decrypting the email, encrypting with the participant
keys and sending the encrypted emails. In this case I wouldn't reinvent
the wheel and I would opt for integrating w/ schleuder
(https://git.codecoop.org/schleuder/schleuder3/). - Note I am aware of
the GPG 2 requirement and haven't fully considered this just yet ;)

Thoughts? Ideas?

- s

On 13/12/16 13:20, Silvia [Hiro] wrote:
> Apologies, I was eager to get some feedback and forgot to mention that
> the intention was to get rid of the perl part and move verification into
> and trac ticket management into the same script.
>
> I am now managing the trust part of the signature verification (
>
> https://gitweb.torproject.org/admin/trac/trac-email.git/
>
> ), but still heavy WIP.
>
> Will ask for feedback when I have a more complete prototype, so it is
> more clear how I want this to work.
>
> -s
>
> On 12/12/16 23:29, Peter Palfrader wrote:
>> On Mon, 12 Dec 2016, Silvia [Hiro] wrote:
>>
>>> I have shared the first version here:
>>> https://gitweb.torproject.org/admin/trac/trac-email.git/
>>>
>>> You will find procmail config, perl script verifying gpg signature (very
>>> simple), python script to verify user permissions and create/update trac
>>> tickets (still WIP).
>>>
>>> Looking forward to get more feedback on the proposed changes.
>> I just glanced at it briefly, but the verify script has me worried.  It
>> uses Perl without 'use strict', nowadays open() really should use >= 3
>> arguments, and I am not convinced the script actually verifies that the
>> entire mail is signed.
>>
>> Also, you can't reliably cont on the exit code of gpg for verifying
>> signatures.
>>
>> Cheers,
>
>
>
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20161215/e7d4cb5c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20161215/e7d4cb5c/attachment.sig>


More information about the tor-project mailing list