* Re: Does Spectrum have a web submission endpoint for b4?
2025-07-27 22:18 ` Demi Marie Obenour
@ 2025-07-28 0:21 ` Demi Marie Obenour
2025-07-28 12:20 ` Alyssa Ross
2025-07-28 23:44 ` Demi Marie Obenour
2 siblings, 0 replies; 6+ messages in thread
From: Demi Marie Obenour @ 2025-07-28 0:21 UTC (permalink / raw)
To: Alyssa Ross, Spectrum OS Development
[-- Attachment #1.1.1: Type: text/plain, Size: 2943 bytes --]
On 7/27/25 18:18, Demi Marie Obenour wrote:
> On 7/26/25 06:08, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>
>>> I'm curious if Spectrum has a web submission endpoint for b4.
>>> would lower the barrier to entry for those who have bad mail
>>> clients, like the GMail web UI.
>>>
>>> I did notice that .b4-config did not mention one.
>>
>> It doesn't. We could set one up, but I'd have to research how to
>> prevent it being used for spam, since it sounds like it would basically
>> be an open relay, and we've had a number of GMail users able to submit
>> patches successfully using git-send-email so far. Isn't all you have to
>> do create an app-specific password and use that as your SMTP password?
>
> b4 web submission is authenticated: the user must prove they own the
> email address before they can send as that email address.
>
> Creating an app-specific password does work, but it isn't always
> an option:
>
> - Enrolling in the Advanced Protection Program (recommended for the
> very users Spectrum targets!) disables app passwords.
>
> - Google Workspace admins can disable app passwords.
>
> - Microsoft 365 has either removed support for SMTP basic auth
> or will do so soon.
>
> OAuth is still supported, but it isn't always an option, and even
> when it is it is still a huge barrier to entry:
>
> - Obtaining an OAuth token for SMTP requires registering an app,
> and admins (at least in Microsoft 365) can disable that.
>
> - There is no builtin OAuth support in git send-email. There are
> sendmail compatible CLIs that do have such support, but everyone
> who packaged it might need to get their own client ID for legal
> reasons. This would also cause problems in corporate environments.
>
> - Some email servers add legal disclaimers that are inappropriate
> for public mailing lists.
>
> Using a separate email account for patch submission works, but in
> some cases third-party SMTP servers are blocked by a corporate firewall,
> and it is also a large barrier for new contributors.
>
> In contrast, using b4 web submission only requires that one be able
> to make an HTTPS request and prove control over the email address one
> is using. That's a vastly simpler process than having to configure
> git send-email manually.
>
> It's worth noting that supporting web submission does require that
> the mailing list rewrites the From: header, as otherwise DMARC will
> fail and the mail will be rejected or marked as spam.
Two other factors:
- For people who are using compartmentalized operating systems,
`b4 send` access (which is only to certain mailing lists)
is less than full SMTP access and *much* less than what an
app-specific password grants.
- `b4 send` allows isolating the attestation keys from the user's
email client.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Does Spectrum have a web submission endpoint for b4?
2025-07-27 22:18 ` Demi Marie Obenour
2025-07-28 0:21 ` Demi Marie Obenour
@ 2025-07-28 12:20 ` Alyssa Ross
2025-07-28 23:44 ` Demi Marie Obenour
2 siblings, 0 replies; 6+ messages in thread
From: Alyssa Ross @ 2025-07-28 12:20 UTC (permalink / raw)
To: Demi Marie Obenour, Spectrum OS Development
[-- Attachment #1: Type: text/plain, Size: 982 bytes --]
Demi Marie Obenour <demiobenour@gmail.com> writes:
> On 7/26/25 06:08, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>
>>> I'm curious if Spectrum has a web submission endpoint for b4.
>>> would lower the barrier to entry for those who have bad mail
>>> clients, like the GMail web UI.
>>>
>>> I did notice that .b4-config did not mention one.
>>
>> It doesn't. We could set one up, but I'd have to research how to
>> prevent it being used for spam, since it sounds like it would basically
>> be an open relay, and we've had a number of GMail users able to submit
>> patches successfully using git-send-email so far. Isn't all you have to
>> do create an app-specific password and use that as your SMTP password?
>
> b4 web submission is authenticated: the user must prove they own the
> email address before they can send as that email address.
Okay, good to know. I'll keep it in mind for when I'm feeling a bit
better. :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Does Spectrum have a web submission endpoint for b4?
2025-07-27 22:18 ` Demi Marie Obenour
2025-07-28 0:21 ` Demi Marie Obenour
2025-07-28 12:20 ` Alyssa Ross
@ 2025-07-28 23:44 ` Demi Marie Obenour
2 siblings, 0 replies; 6+ messages in thread
From: Demi Marie Obenour @ 2025-07-28 23:44 UTC (permalink / raw)
To: Alyssa Ross, Spectrum OS Development
[-- Attachment #1.1.1: Type: text/plain, Size: 2220 bytes --]
On 7/27/25 18:18, Demi Marie Obenour wrote:
> On 7/26/25 06:08, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>
>>> I'm curious if Spectrum has a web submission endpoint for b4.
>>> would lower the barrier to entry for those who have bad mail
>>> clients, like the GMail web UI.
>>>
>>> I did notice that .b4-config did not mention one.
>>
>> It doesn't. We could set one up, but I'd have to research how to
>> prevent it being used for spam, since it sounds like it would basically
>> be an open relay, and we've had a number of GMail users able to submit
>> patches successfully using git-send-email so far. Isn't all you have to
>> do create an app-specific password and use that as your SMTP password?
>
> b4 web submission is authenticated: the user must prove they own the
> email address before they can send as that email address.
>
> Creating an app-specific password does work, but it isn't always
> an option:
>
> - Enrolling in the Advanced Protection Program (recommended for the
> very users Spectrum targets!) disables app passwords.
>
> - Google Workspace admins can disable app passwords.
>
> - Microsoft 365 has either removed support for SMTP basic auth
> or will do so soon.
Looks like Microsoft 365 has fully removed basic auth support.
> OAuth is still supported, but it isn't always an option, and even
> when it is it is still a huge barrier to entry:
>
> - Obtaining an OAuth token for SMTP requires registering an app,
> and admins (at least in Microsoft 365) can disable that.
Apparently some programs solve this by impersonating Outlook.
> - There is no builtin OAuth support in git send-email. There are
> sendmail compatible CLIs that do have such support, but everyone
> who packaged it might need to get their own client ID for legal
> reasons. This would also cause problems in corporate environments.
Correction: git send-email actually has OAuth2 support, but it has
no builtin way to obtain an OAuth refresh token. There is a third-party
program (git-credential-oauth) that does support this, but it is not
installed by default.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread