On 7/27/25 18:18, Demi Marie Obenour wrote: > On 7/26/25 06:08, Alyssa Ross wrote: >> Demi Marie Obenour writes: >> >>> I'm curious if Spectrum has a web submission endpoint for b4. >>> would lower the barrier to entry for those who have bad mail >>> clients, like the GMail web UI. >>> >>> I did notice that .b4-config did not mention one. >> >> It doesn't. We could set one up, but I'd have to research how to >> prevent it being used for spam, since it sounds like it would basically >> be an open relay, and we've had a number of GMail users able to submit >> patches successfully using git-send-email so far. Isn't all you have to >> do create an app-specific password and use that as your SMTP password? > > b4 web submission is authenticated: the user must prove they own the > email address before they can send as that email address. > > Creating an app-specific password does work, but it isn't always > an option: > > - Enrolling in the Advanced Protection Program (recommended for the > very users Spectrum targets!) disables app passwords. > > - Google Workspace admins can disable app passwords. > > - Microsoft 365 has either removed support for SMTP basic auth > or will do so soon. > > OAuth is still supported, but it isn't always an option, and even > when it is it is still a huge barrier to entry: > > - Obtaining an OAuth token for SMTP requires registering an app, > and admins (at least in Microsoft 365) can disable that. > > - There is no builtin OAuth support in git send-email. There are > sendmail compatible CLIs that do have such support, but everyone > who packaged it might need to get their own client ID for legal > reasons. This would also cause problems in corporate environments. > > - Some email servers add legal disclaimers that are inappropriate > for public mailing lists. > > Using a separate email account for patch submission works, but in > some cases third-party SMTP servers are blocked by a corporate firewall, > and it is also a large barrier for new contributors. > > In contrast, using b4 web submission only requires that one be able > to make an HTTPS request and prove control over the email address one > is using. That's a vastly simpler process than having to configure > git send-email manually. > > It's worth noting that supporting web submission does require that > the mailing list rewrites the From: header, as otherwise DMARC will > fail and the mail will be rejected or marked as spam. Two other factors: - For people who are using compartmentalized operating systems, `b4 send` access (which is only to certain mailing lists) is less than full SMTP access and *much* less than what an app-specific password grants. - `b4 send` allows isolating the attestation keys from the user's email client. -- Sincerely, Demi Marie Obenour (she/her/hers)