Spam is not a fact of life unless you are flippant with your email address, I am not, and I have not had spam for some years, but having joined the bug tracker system and added to bug reports, I now am getting some spam, too much of a coincidence me thinks.

There is no reason for everyone’s email addresses to be displayed, the system could keep them hidden and safe by making sure everyone used an alias and displaying that instead. Then everyone concerned could still get notified when a bug report gets added to.
talk.maemo.org works very well this way and I joined it along time before joining the bug tracker system.

If the bug tracker system is known to spammers as a weak site, there is nothing stopping them from signing up and harvesting everyone’s emails.

havent seen any spam in my email I use in bugzilla....

The following threads have been merged into this thread:

• "What? Bugzilla uses my email address as my ID?" with eighty-four posts
• "Bug db forces non-disposable email addresses, then they publicize it!" with six posts

Have you confirmed that bugs.maemo.org accepts mailinator.com addresses?

If it does, that's would be almost reasonable. I say "almost", because mail sent to mailinator addresses is public, and the user has the burden of proactively checking the web for replies (and it's a separate check per address).
spamgourmet.com is one -- and it's being blocked from those who sign up for bug tracker accounts.

I've proven the contrary. I managed to find a disposable address that didn't get rejected. So all the spam now flooding into that address is purely from a compromise in the bugzilla system. It's the reason I started the thread that got merged with this one.

(if you're wondering why I don't continue with that type of address, the sysadmins have figured it out since I created it, and it's now blocked. bugs.maemo.org now blocks the slightest modification to that address)

Bug reporters are public servants who contribute positively to the community. The idea is to encourage this (uncompensated) behavior.

Both forcing users to give up a real email address, and then simultaneously denying them the option to hide that address is not the way to encourage participants to offer their services.

It's totally unreasonable that maemo.org has taken a stance against disposable addresses, and then forced exposure of the more sacred addresses they forced people to register with.

I don't support that combination, either, but I don't have a problem with requiring real email accounts for bug reporting AND allowing them to be hidden from report views.

At talk.maemo.org the Mailadresses are hidden by default and you can show it to all members if you want. The system provides the possibility to send a Mail to the Member thru the system for a first contact. You don't need to have the Mailadress for this, it's enought that the system has the Adress.

In my opinion bugs.maemo.org should work the same way. Hide the Mailadress by default and show only real Names or if you want to stay incognito Nicknames.

In my opinion it is sometimes very important to hide your real identity. I have at example here at talk.maemo.org two accounts. This one to hide my real identity and a second one to publish my real name to everyone.

Although that would be an improvement, it neglects basic security principles. It's backwards to pursue a model of least security, and then ask to justify policies that are more secure. The way forward is to start with the policy that is most secure (ie. minimal disclosure), and demand justification when a policy reduces security.

IOW, the question is not why the personal identities of users need to be withheld. The question is why the personal identities of participants on a bug reporting system must be disclosed. From a security viewpoint, there does not exist a rational justification. Registration already covers the need to shut down malicious users.

The only benefit to identity disclosure is attribution. And if a user wants to make sure that they get credit for documenting a bug or workaround, they can do this regardless of whether forced disclosure is in place.