Does Spectrum have a web submission endpoint for b4?
I'm curious if Spectrum has a web submission endpoint for b4. would lower the barrier to entry for those who have bad mail clients, like the GMail web UI. I did notice that .b4-config did not mention one. -- Sincerely, Demi Marie Obenour (she/her/hers)
Demi Marie Obenour <demiobenour@gmail.com> writes:
I'm curious if Spectrum has a web submission endpoint for b4. would lower the barrier to entry for those who have bad mail clients, like the GMail web UI.
I did notice that .b4-config did not mention one.
It doesn't. We could set one up, but I'd have to research how to prevent it being used for spam, since it sounds like it would basically be an open relay, and we've had a number of GMail users able to submit patches successfully using git-send-email so far. Isn't all you have to do create an app-specific password and use that as your SMTP password?
On 7/26/25 06:08, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
I'm curious if Spectrum has a web submission endpoint for b4. would lower the barrier to entry for those who have bad mail clients, like the GMail web UI.
I did notice that .b4-config did not mention one.
It doesn't. We could set one up, but I'd have to research how to prevent it being used for spam, since it sounds like it would basically be an open relay, and we've had a number of GMail users able to submit patches successfully using git-send-email so far. Isn't all you have to do create an app-specific password and use that as your SMTP password?
b4 web submission is authenticated: the user must prove they own the email address before they can send as that email address. Creating an app-specific password does work, but it isn't always an option: - Enrolling in the Advanced Protection Program (recommended for the very users Spectrum targets!) disables app passwords. - Google Workspace admins can disable app passwords. - Microsoft 365 has either removed support for SMTP basic auth or will do so soon. OAuth is still supported, but it isn't always an option, and even when it is it is still a huge barrier to entry: - Obtaining an OAuth token for SMTP requires registering an app, and admins (at least in Microsoft 365) can disable that. - There is no builtin OAuth support in git send-email. There are sendmail compatible CLIs that do have such support, but everyone who packaged it might need to get their own client ID for legal reasons. This would also cause problems in corporate environments. - Some email servers add legal disclaimers that are inappropriate for public mailing lists. Using a separate email account for patch submission works, but in some cases third-party SMTP servers are blocked by a corporate firewall, and it is also a large barrier for new contributors. In contrast, using b4 web submission only requires that one be able to make an HTTPS request and prove control over the email address one is using. That's a vastly simpler process than having to configure git send-email manually. It's worth noting that supporting web submission does require that the mailing list rewrites the From: header, as otherwise DMARC will fail and the mail will be rejected or marked as spam. -- Sincerely, Demi Marie Obenour (she/her/hers)
On 7/27/25 18:18, Demi Marie Obenour wrote:
On 7/26/25 06:08, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
I'm curious if Spectrum has a web submission endpoint for b4. would lower the barrier to entry for those who have bad mail clients, like the GMail web UI.
I did notice that .b4-config did not mention one.
It doesn't. We could set one up, but I'd have to research how to prevent it being used for spam, since it sounds like it would basically be an open relay, and we've had a number of GMail users able to submit patches successfully using git-send-email so far. Isn't all you have to do create an app-specific password and use that as your SMTP password?
b4 web submission is authenticated: the user must prove they own the email address before they can send as that email address.
Creating an app-specific password does work, but it isn't always an option:
- Enrolling in the Advanced Protection Program (recommended for the very users Spectrum targets!) disables app passwords.
- Google Workspace admins can disable app passwords.
- Microsoft 365 has either removed support for SMTP basic auth or will do so soon.
OAuth is still supported, but it isn't always an option, and even when it is it is still a huge barrier to entry:
- Obtaining an OAuth token for SMTP requires registering an app, and admins (at least in Microsoft 365) can disable that.
- There is no builtin OAuth support in git send-email. There are sendmail compatible CLIs that do have such support, but everyone who packaged it might need to get their own client ID for legal reasons. This would also cause problems in corporate environments.
- Some email servers add legal disclaimers that are inappropriate for public mailing lists.
Using a separate email account for patch submission works, but in some cases third-party SMTP servers are blocked by a corporate firewall, and it is also a large barrier for new contributors.
In contrast, using b4 web submission only requires that one be able to make an HTTPS request and prove control over the email address one is using. That's a vastly simpler process than having to configure git send-email manually.
It's worth noting that supporting web submission does require that the mailing list rewrites the From: header, as otherwise DMARC will fail and the mail will be rejected or marked as spam.
Two other factors: - For people who are using compartmentalized operating systems, `b4 send` access (which is only to certain mailing lists) is less than full SMTP access and *much* less than what an app-specific password grants. - `b4 send` allows isolating the attestation keys from the user's email client. -- Sincerely, Demi Marie Obenour (she/her/hers)
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 7/26/25 06:08, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
I'm curious if Spectrum has a web submission endpoint for b4. would lower the barrier to entry for those who have bad mail clients, like the GMail web UI.
I did notice that .b4-config did not mention one.
It doesn't. We could set one up, but I'd have to research how to prevent it being used for spam, since it sounds like it would basically be an open relay, and we've had a number of GMail users able to submit patches successfully using git-send-email so far. Isn't all you have to do create an app-specific password and use that as your SMTP password?
b4 web submission is authenticated: the user must prove they own the email address before they can send as that email address.
Okay, good to know. I'll keep it in mind for when I'm feeling a bit better. :)
On 7/27/25 18:18, Demi Marie Obenour wrote:
On 7/26/25 06:08, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
I'm curious if Spectrum has a web submission endpoint for b4. would lower the barrier to entry for those who have bad mail clients, like the GMail web UI.
I did notice that .b4-config did not mention one.
It doesn't. We could set one up, but I'd have to research how to prevent it being used for spam, since it sounds like it would basically be an open relay, and we've had a number of GMail users able to submit patches successfully using git-send-email so far. Isn't all you have to do create an app-specific password and use that as your SMTP password?
b4 web submission is authenticated: the user must prove they own the email address before they can send as that email address.
Creating an app-specific password does work, but it isn't always an option:
- Enrolling in the Advanced Protection Program (recommended for the very users Spectrum targets!) disables app passwords.
- Google Workspace admins can disable app passwords.
- Microsoft 365 has either removed support for SMTP basic auth or will do so soon.
Looks like Microsoft 365 has fully removed basic auth support.
OAuth is still supported, but it isn't always an option, and even when it is it is still a huge barrier to entry:
- Obtaining an OAuth token for SMTP requires registering an app, and admins (at least in Microsoft 365) can disable that.
Apparently some programs solve this by impersonating Outlook.
- There is no builtin OAuth support in git send-email. There are sendmail compatible CLIs that do have such support, but everyone who packaged it might need to get their own client ID for legal reasons. This would also cause problems in corporate environments.
Correction: git send-email actually has OAuth2 support, but it has no builtin way to obtain an OAuth refresh token. There is a third-party program (git-credential-oauth) that does support this, but it is not installed by default. -- Sincerely, Demi Marie Obenour (she/her/hers)
participants (2)
-
Alyssa Ross -
Demi Marie Obenour