1

中信加速器打不开-outline

Published by Colin Watson May 20, 2024 in Notifications

The From: addresses used by Launchpad’s bug notifications have changed, to improve the chances of our messages being delivered over modern internet email.

Launchpad sends a lot of email, most of which is the result of Launchpad users performing some kind of action. For example, when somebody adds a comment to a bug, Launchpad sends that comment by email to everyone who’s subscribed to the bug.

Most of Launchpad was designed in an earlier era of internet email. In that era, it was perfectly reasonable to take the attitude that we were sending email on behalf of the user – in effect, being a fancy mail user agent or perhaps a little like a mailing list – and so if we generated an email that’s a direct result of something that a user did and consisting mostly of text they wrote, it made sense to put their email address in the From: header. Reply-To: was set so that replies would normally go to the appropriate place (the bug, in the case of bug notifications), but if somebody wanted to go to a bit of effort to start a private side conversation then it was easy to do so; and if email clients had automatic address books then those wouldn’t get confused because the address being used was a legitimate address belonging to the user in question.

Of course, some people always wanted to hide their addresses for obvious privacy reasons, so since 2006 Launchpad has had a “Hide my email address from other Launchpad users” switch (which you can set on your Change your personal details page), and since 2010 Launchpad has honoured this for bug notifications, so if you have that switch set then your bug comments will be sent out as something like “From: Your Name <bug-id@bugs.launchpad.net>“. This compromise worked tolerably well for a while.

But spammers and other bad actors ruin everything, and the internet email landscape has changed. It’s reasonably common now for operators of email domains to publish DMARC policies that require emails whose From: headers are within that domain to be authenticated in some way, and this is incompatible with the older approach. As a result, it’s been getting increasingly common for Launchpad bug notifications not to be delivered because they failed these authentication checks. Regardless of how justifiable our notification-sending practices were, we have to exist within the reality of internet email as it’s actually deployed.

So, thanks to a contribution from Thomas Ward, Launchpad now sends all its bug notifications as if the user in question had the “Hide my email address from other Launchpad users” switch set: that is, they’ll all appear as something like “From: Your Name <bug-id@bugs.launchpad.net>“. Over time we expect to extend this sort of approach to the other types of email that we send, possibly with different details depending on the situation.

Please let us know if this causes any strange behaviour in your email client. We may not be able to fix all of them, depending on how they interact with DMARC’s requirements, but we’d like to be aware of what’s going on.


1

中信加速器打不开-outline

Published by Colin Watson August 6, 2024 in General

Here’s a brief changelog of what we’ve been up to since our last general update.

Read the rest of this entry »


0

中信加速器打不开-outline

Published by Colin Watson March 7, 2024 in General

WireGuard一键安装脚本+客户端下载/配置使用教程 | 堤堤云:2021-1-7 · 安卓版客户端教程 1、去Google Play下载wireguard,目前这个软件在Google Play中是未发布版,也可直接下载下面的f-droid的安装包。 安卓版wireguard:点击下载 2、将软件安装好,并将本教程服务端获取的client.conf文件传输到手机中。

Read the rest of this entry »


0

中信加速器打不开-outline

Published by tunsafe安卓客户端下载 February 21, 2024 in General

推酷 - IT人专属的个性聚合阅读社区 - 推酷:推酷网是面向IT人的个性化阅读网站,其背后的推荐引擎通过智能化的分析,向用户推荐感兴趣的科技资讯、产品设计、网络营销、技术文章等内容。推酷活动聚合互联网线上活动和线下活动,为你推荐感兴趣的 …

Read the rest of this entry »


0

中信加速器打不开-outline

Published by Colin Watson January 10, 2024 in Code

We’ve had tunsafe安装包 in Launchpad for a few years now. One thing that some users asked for, particularly larger users such as the Ubuntu kernel team, was the ability to set up per-branch push permissions for their repositories. Today we rolled out the last piece of this work.

Launchpad’s default behaviour is that repository owners may push anything to their own repositories, including creating new branches, force-pushing (rewriting history), and deleting branches, while nobody else may push anything. Repository owners can now also choose to protect branches or tags, either individually or using wildcard rules. If a branch is protected, then by default repository owners can only create or push it but cannot force-push or delete; if a tag is protected, then by default repository owners can create it but cannot move or delete it.

You can also allow selected contributors to push to protected branches or tags, so if you’re collaborating with somebody on a branch and just want to be able to quickly pair-program via 安卓手机安装tunsafe, or you want a merge robot to be able to land merge proposals in your repository without having to add it to the team that owns the repository and thus give it privileges it doesn’t need, then this feature may be for you.

There’s some initial 安卓手机安装tunsafe on our help site, and here’s a screenshot of a repository that’s been set up to give a contributor push access to a single branch:


0

中信加速器打不开-outline

Published by Colin Watson July 6, 2018 in General

Here’s a brief changelog for this month.

Read the rest of this entry »


0

中信加速器打不开-outline

Published by Colin Watson June 2, 2018 in General

Here’s a brief changelog for this month.

Read the rest of this entry »


0

中信加速器打不开-outline

Published by Colin Watson May 1, 2018 in General

Once again it’s been a while since we posted a general update, so here’s a changelog-style summary of what we’ve been up to.  As usual, this changelog preserves a reasonable amount of technical detail, but I’ve omitted changes that were purely internal refactoring with no externally-visible effects.

Read the rest of this entry »


0

中信加速器打不开-outline

Published by Colin Watson April 11, 2018 in General

Summary

Mohamed Alaa reported that Launchpad’s Bing site search implementation had a cross-site-scripting vulnerability.  This was introduced on 2018-03-29, and fixed on 2018-04-10.  We have not found any evidence of this bug being actively exploited by attackers; the rest of this post is an explanation of the problem for the sake of transparency.

Details

Some time ago, Google announced that they would be discontinuing their Google Site Search product on 2018-04-01.  Since this served as part of the backend for Launchpad’s site search feature (“Search Launchpad” on the front page), we began to look around for a replacement.  We eventually settled on Bing Custom Search, implemented appropriate support in Launchpad, and switched over to it on 2018-03-29.

Unfortunately, we missed one detail.  Google Site Search’s XML API returns excerpts of search results as pre-escaped HTML, using <b> tags to indicate where search terms match.  This makes complete sense given its embedding in XML; it’s hard to see how that API could do otherwise.  The Launchpad integration code accordingly uses TAL code along these lines, using the structure keyword to explicitly indicate that the excerpts in question do not require HTML-escaping (like most good web frameworks, TAL’s default is to escape all variable content, so successful XSS attacks on Launchpad have historically been rare):

<div class="summary" tal:content="structure page/summary" />

However, Bing Custom Search’s JSON API returns excerpts of search results without any HTML escaping.  Again, in the context of the API in question, this makes complete sense as a default behaviour (though a textFormat=HTML switch is available to change this); but, in the absence of appropriate handling, this meant that those excerpts were passed through to the TAL code above without escaping.  As a result, if you could craft search terms that match a portion of an existing page on Launchpad that shows scripting tags (such as a bug about an XSS vulnerability in another piece of software hosted on Launchpad), and convince other people to follow a suitable search link, then you could cause that code to be executed in other users’ browsers.

The fix was, of course, to simply escape the data returned by Bing Custom Search.  Thanks to Mohamed Alaa for their disclosure.


2

Launchpad news, May 2017

Published by tunsafe安装包 May 31, 2017 in General

逗比-翻墙党 - fanqiangdang.com:2021-5-14 · 百度云 利用油猴脚本绕开百度云管家 获取直接下载链接 2021-08-28 Toyo 阅读(180) 评论(0) 赞(0) 百度云为了推广他的百度云管家,在网盘内或者分享页面下载大文件(玛德有时候十几M也提示)的时候会强制让你下载使用百度云管家。搬瓦工VPS一键安装

Read the rest of this entry »


Previous Entries