Well, I would prefer that you not do that.

chi.*, for instance, hasn't had a hierarchy administrator since Gerry
Swetsky moved away. He never sent a newgroup message to start a new
group that I recall, all groups were started before he was the
administrator. But if a group were proposed, we were supposed to
get together for an in-person meeting, probably called as Uniforum
Chicago or a successor if it's still meeting. It was pretty informal and
mostly an excuse to drink beer, if it ever happened. If people wanted a
new group, Gerry would have sent a newgroup message.

If anyone wanted to propose a newsgroup in a formerly administered regional
hierarchy and there are rules of any kind to follow, he'd have to declare
himself hierarchy administrator, or the act of sending the newgroup message
would be a default declaration of being hierarchy administrator with
respect to that one proposed newsgroup. Under such informal circumstances,
I recommend AGAINST a policy in which the hierarchy is delisted from
control.ctl without having implemented authenticated control messages.

In such a scenario, no, we don't need authenticated control messages.
Unless any of the massive attacks included bogus newgroup messages in
any of these hierarchies, why would they have bothered to have
implemented authenticated control messages in the past?

Regional and language hierarchies were often run on an ad hoc basis.
Please leave them that way.

I haven't reviewed the documents in years, but rone's unified
control.ctl used to list a dozen local hierarchies with a note as to
which institution or News server provider they were for. I thought once
you took over the document, you purged them as they aren't Usenet, or
you moved the list to hierarchy-notes.
Well, yeah. And I would request that you continue to treat them as
"There is no problem to fix."
A lot of nearly dead hierarchies may still have a bit of discussion in
the *.general or equivalent newsgroup. Let's leave the option that if
there's an actual need to propose and create a new group, that there is
no requirement to implement authenticated control messages without a
need for it.

In fact, we probably don't want to implement authenticated control
messages in such ad hoc hierarchies as no one would remember where the
key went to. Wasn't the key to ba.* misplaced for close to a decade?
Please don't.

Hi Russ,
[...]
I have no objection.
I reckon it is the right move to do.
Ok, though some newsgroup names are questionable (like free.biden.sucks
created today) but that's another debate!
Separate active and newsgroups files containing only alt.* and free.*
newsgroups may be provided by control-archive and put in ftp.isc.org
(just a thought, to better enhance the difference).
I'm fine with removing non-PGP entries, including private, local,
historic and defunct hierarchies.
The main argument would be that the control.ctl file is used as a
configuration file, not as the memory of Usenet history.

Private hierarchies like bofh.* or szaf.*, and historic hierarchies like
net.* or eug.*, which have a PGP key, will remain if I understand well.

As well as reserved hierarchies (control.*, example.*, to.* ...) for
technical reasons.

No objections. control.ctl entries honoring unsigned control messages
are accidents waiting to happen.
I would prefer to keep the entries commented out (or move them to
another file ..., just to keep them around for reference), as that
makes it easier to dive down in history or check for the existence of
a (former) hierarchy, compared to checking old git commits.

But if that's more work than just dropping them, that's okay, too.

-thh

"Russ Allbery" wrote in message news:***@hope.eyrie.org...

(*) Except for alt.* and free.*, to the extent that anyone honors them.

Hi all,

I'm considering a policy change for the newsgroup lists maintained at
ftp.isc.org to only honor PGP-signed control messages except for alt.* and
free.* and wanted to run them by everyone.

Historically, control.ctl has included entries for large numbers of local,
regional, and language hierarchies that predate control message signing or
that didn't go to the trouble of creating PGP keys and setting up signing.
Since we didn't want to break anything when control message signing was
introduced, those entries were only changed if there was an abuse problem.
Many of those hierarchies are too small and obscure for anyone to have
bothered to forge control messages for them, even back in the heyday of
control message vandalism.

This has been bothering me for a while, though, since I have a rather
strong interest in making this system as automated as possible since I
have very little time to fix things manually. Vandalism would be easy to
manually repair, but it would require I go do something about it, which is
unappealing.

Possibly more relevantly, I have not seen anyone who in theory is
maintaining any of those non-PGP hierarchies issue a valid control message
in years (probably more than ten years). In practice, I don't believe
anyone is sending unsigned control messages except for alt.* and free.*
(which are intended to be a free-for-all left to each individual site to
manage), and I believe all of those legacy entries are effectively
defunct.

I am therefore proposing removing all non-PGP entries from control.ctl or,
alternately, leaving them there but commented out. I'm kind of leaning
towards the former since if anyone cares about the history for some reason
they can get it from old versions of control.ctl in the INN repository or
from <https://github.com/rra/control-archive/> (and I have no reason to
believe that the people identified with those email addresses still exist
or feel in any way responsible for those hierarchies), but I could be
convinced to leave them there commented out.

Thoughts?
===================
Under the current scheme, invalid mailboxes (and even a NULL string) are accepted for some control messages where they shouldn't be.
Only the "drop" action (in file "control.ctl") can have the mailbox match be "*", because that is a "don't care" case.

The 'from' field in control.ctl should be changed from "*" (where that appears) to "?*@?*.??*" to make certain that a legal mailbox
is accepted. "*" by itself will match 0 characters, so the adjacent "?"s make certain that each component has at least one
character. The domain side basically needs two components with an intervening dot. Although "localhost" is an acceptable domain,
it is not useful in this context, so I intentionally suggest a syntactic pattern match that excludes it. Some patterns with
matching text may also need "*" changed to "?*" for positive actions (i.e. not drop).

What this change does:
- No NULL usernames. Must have at least 1 non-whitespace character. Although UTF-8 may be allowed in the text comment accompanying
a mailbox (usually a quoted name), only the printable ASCII set is permitted for the mailbox.
- TLDs must be at least 2 characters (and not end with a digit or dash).
- There must be at least 2 domain components ('localhost' specifically denied).

This change would then be used in combination with some exclusion rules that go after various bad mailboxes and/or mailbox syntax
such as those containing two ".." in a row, ".-", etc. I use these entries in my file "control.ctl.local":

## INVALID, BOGUS, & RESERVED MAILBOX PATTERNS (AFTER "?*@?*.??*" APPLIED)
## ------------------------------------------------------------------------
all:*@*[^-.0-9a-z]*|*@[-.]*|*@*.[-.]*|*@*-.*|*@*[^a-z.]|*@*[^a-z].:*:drop
all:*[^!-?A-~]*@*|[-.]*@*|*.[-.]*@*|*[-.]@*|*-.*@*|*fuck*@*|poster:*:drop

One could go further to deny the "example", "invalid", and "test" TLDs, and "example" SLDs, but I chose not to do that here. (I do
filter for such in my "cleanfeed.local" file).