Does Spectrum have a web submission endpoint for b4?

Does Spectrum have a web submission endpoint for b4?

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 263 bytes --]

I'm curious if Spectrum has a web submission endpoint for b4.
would lower the barrier to entry for those who have bad mail
clients, like the GMail web UI.

I did notice that .b4-config did not mention one.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Does Spectrum have a web submission endpoint for b4?

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 621 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> I'm curious if Spectrum has a web submission endpoint for b4.
> would lower the barrier to entry for those who have bad mail
> clients, like the GMail web UI.
>
> I did notice that .b4-config did not mention one.

It doesn't.  We could set one up, but I'd have to research how to
prevent it being used for spam, since it sounds like it would basically
be an open relay, and we've had a number of GMail users able to submit
patches successfully using git-send-email so far.  Isn't all you have to
do create an app-specific password and use that as your SMTP password?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: Does Spectrum have a web submission endpoint for b4?

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2474 bytes --]

On 7/26/25 06:08, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> I'm curious if Spectrum has a web submission endpoint for b4.
>> would lower the barrier to entry for those who have bad mail
>> clients, like the GMail web UI.
>>
>> I did notice that .b4-config did not mention one.
> 
> It doesn't.  We could set one up, but I'd have to research how to
> prevent it being used for spam, since it sounds like it would basically
> be an open relay, and we've had a number of GMail users able to submit
> patches successfully using git-send-email so far.  Isn't all you have to
> do create an app-specific password and use that as your SMTP password?

b4 web submission is authenticated: the user must prove they own the
email address before they can send as that email address.

Creating an app-specific password does work, but it isn't always
an option:

- Enrolling in the Advanced Protection Program (recommended for the
  very users Spectrum targets!) disables app passwords.

- Google Workspace admins can disable app passwords.

- Microsoft 365 has either removed support for SMTP basic auth
  or will do so soon.

OAuth is still supported, but it isn't always an option, and even
when it is it is still a huge barrier to entry:

- Obtaining an OAuth token for SMTP requires registering an app,
  and admins (at least in Microsoft 365) can disable that.

- There is no builtin OAuth support in git send-email.  There are
  sendmail compatible CLIs that do have such support, but everyone
  who packaged it might need to get their own client ID for legal
  reasons.  This would also cause problems in corporate environments.

- Some email servers add legal disclaimers that are inappropriate
  for public mailing lists.

Using a separate email account for patch submission works, but in
some cases third-party SMTP servers are blocked by a corporate firewall,
and it is also a large barrier for new contributors.

In contrast, using b4 web submission only requires that one be able
to make an HTTPS request and prove control over the email address one
is using.  That's a vastly simpler process than having to configure
git send-email manually.

It's worth noting that supporting web submission does require that
the mailing list rewrites the From: header, as otherwise DMARC will
fail and the mail will be rejected or marked as spam.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Does Spectrum have a web submission endpoint for b4?

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2943 bytes --]

On 7/27/25 18:18, Demi Marie Obenour wrote:
> On 7/26/25 06:08, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>
>>> I'm curious if Spectrum has a web submission endpoint for b4.
>>> would lower the barrier to entry for those who have bad mail
>>> clients, like the GMail web UI.
>>>
>>> I did notice that .b4-config did not mention one.
>>
>> It doesn't.  We could set one up, but I'd have to research how to
>> prevent it being used for spam, since it sounds like it would basically
>> be an open relay, and we've had a number of GMail users able to submit
>> patches successfully using git-send-email so far.  Isn't all you have to
>> do create an app-specific password and use that as your SMTP password?
> 
> b4 web submission is authenticated: the user must prove they own the
> email address before they can send as that email address.
> 
> Creating an app-specific password does work, but it isn't always
> an option:
> 
> - Enrolling in the Advanced Protection Program (recommended for the
>   very users Spectrum targets!) disables app passwords.
> 
> - Google Workspace admins can disable app passwords.
> 
> - Microsoft 365 has either removed support for SMTP basic auth
>   or will do so soon.
> 
> OAuth is still supported, but it isn't always an option, and even
> when it is it is still a huge barrier to entry:
> 
> - Obtaining an OAuth token for SMTP requires registering an app,
>   and admins (at least in Microsoft 365) can disable that.
> 
> - There is no builtin OAuth support in git send-email.  There are
>   sendmail compatible CLIs that do have such support, but everyone
>   who packaged it might need to get their own client ID for legal
>   reasons.  This would also cause problems in corporate environments.
> 
> - Some email servers add legal disclaimers that are inappropriate
>   for public mailing lists.
> 
> Using a separate email account for patch submission works, but in
> some cases third-party SMTP servers are blocked by a corporate firewall,
> and it is also a large barrier for new contributors.
> 
> In contrast, using b4 web submission only requires that one be able
> to make an HTTPS request and prove control over the email address one
> is using.  That's a vastly simpler process than having to configure
> git send-email manually.
> 
> It's worth noting that supporting web submission does require that
> the mailing list rewrites the From: header, as otherwise DMARC will
> fail and the mail will be rejected or marked as spam.

Two other factors:

- For people who are using compartmentalized operating systems,
  `b4 send` access (which is only to certain mailing lists)
  is less than full SMTP access and *much* less than what an
  app-specific password grants.
- `b4 send` allows isolating the attestation keys from the user's
  email client.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Does Spectrum have a web submission endpoint for b4?

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 982 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 7/26/25 06:08, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> I'm curious if Spectrum has a web submission endpoint for b4.
>>> would lower the barrier to entry for those who have bad mail
>>> clients, like the GMail web UI.
>>>
>>> I did notice that .b4-config did not mention one.
>> 
>> It doesn't.  We could set one up, but I'd have to research how to
>> prevent it being used for spam, since it sounds like it would basically
>> be an open relay, and we've had a number of GMail users able to submit
>> patches successfully using git-send-email so far.  Isn't all you have to
>> do create an app-specific password and use that as your SMTP password?
>
> b4 web submission is authenticated: the user must prove they own the
> email address before they can send as that email address.

Okay, good to know.  I'll keep it in mind for when I'm feeling a bit
better. :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: Does Spectrum have a web submission endpoint for b4?

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2220 bytes --]

On 7/27/25 18:18, Demi Marie Obenour wrote:
> On 7/26/25 06:08, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>
>>> I'm curious if Spectrum has a web submission endpoint for b4.
>>> would lower the barrier to entry for those who have bad mail
>>> clients, like the GMail web UI.
>>>
>>> I did notice that .b4-config did not mention one.
>>
>> It doesn't.  We could set one up, but I'd have to research how to
>> prevent it being used for spam, since it sounds like it would basically
>> be an open relay, and we've had a number of GMail users able to submit
>> patches successfully using git-send-email so far.  Isn't all you have to
>> do create an app-specific password and use that as your SMTP password?
> 
> b4 web submission is authenticated: the user must prove they own the
> email address before they can send as that email address.
> 
> Creating an app-specific password does work, but it isn't always
> an option:
> 
> - Enrolling in the Advanced Protection Program (recommended for the
>   very users Spectrum targets!) disables app passwords.
> 
> - Google Workspace admins can disable app passwords.
> 
> - Microsoft 365 has either removed support for SMTP basic auth
>   or will do so soon.

Looks like Microsoft 365 has fully removed basic auth support.

> OAuth is still supported, but it isn't always an option, and even
> when it is it is still a huge barrier to entry:
> 
> - Obtaining an OAuth token for SMTP requires registering an app,
>   and admins (at least in Microsoft 365) can disable that.

Apparently some programs solve this by impersonating Outlook.

> - There is no builtin OAuth support in git send-email.  There are
>   sendmail compatible CLIs that do have such support, but everyone
>   who packaged it might need to get their own client ID for legal
>   reasons.  This would also cause problems in corporate environments.

Correction: git send-email actually has OAuth2 support, but it has
no builtin way to obtain an OAuth refresh token.  There is a third-party
program (git-credential-oauth) that does support this, but it is not
installed by default.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]