Most users have an alias that is displayed rather than their bugmail address. If you look at the poster of a comment without checking their email address you can be confused into thinking it was made by someone else. Some random person can change their display name (alias) to the same as some important person in bugzilla and then make comments which could be miss-interpreted as being by that person. This confusion can be reduced by requiring the user display name is unique.

This is somewhat more complex than that. Even if we require a unique real name, there's nothing to stop someone from adding a space, introducing a hard to notice typo, etc... Also, I'm not convinced that this is really a security bug, at least not one we need to keep secret.

(In reply to comment #1) >This is somewhat more complex than that. Even if we require a unique real name, >there's nothing to stop someone from adding a space, introducing a hard to >notice typo, etc... Agreed that this is not simple to solve, however this bug report was prompted by confusion over who was making comments in b.m.o. under a certain name (only noticed by the fact the email address had appeared to change). Requring user names to be unique would at least stop some incidents of accidential confusion if not deliberate misuse. >Also, I'm not convinced that this is really a security bug, at least not one we >need to keep secret. I only filled it as security sensitive as this could be used by someone with malicious intent to cause a nausance and I couldn't find any simular reports. I am quite happy for the flag to be removed.

I'm not sure this is even a bug. This is no different from a user setting whatever nickname they want when they connect to IRC. If you want to make sure it's them, you /whois them and see if they've logged into nickserv. On Bugzilla, you can mouse over the link and see what the email address is.

Bugzilla has an "identity" field on a user. That's what's used on the Reporter field at the top of the bug for example. It's a combination of the user's "real name" and their email address. Probably the safest fix for this is to just use the "identity" field for the user's name at the top of each comment as well.

Maybe a dupe of bug 34122 or bug 179622 (even if this one is specific to flags, the idea of a unique username is the same). At least, the security flag is not appropriate for this bug.

(In reply to comment #5) > Maybe a dupe ... or bug 179622 (even if this one is specific to flags, > the idea of a unique username is the same) Yes it does look like the same issue. Could someone remove the security flag and dupe to that bug? Updating summary to better reflect the actual problem. Sorry for misusing the security flag. Comment 4 seems like a reasonable solution, however it is likely to make the comment title block exceed the default width of comments and given how rare this case is its probably not worth doing. Thanks for the responses.

Removing the security flag per comments 1, 3, 5 and 6. ;) (In reply to comment #6) > Comment 4 seems like a reasonable solution, however it is likely to make the > comment title block exceed the default width of comments and given how rare this > case is its probably not worth doing. You know, we can also have the comment title block split on two lines (both having the gray background): --- Additional Comment #6 From Jaime Mitchell 2005-08-23 06:27 PDT [reply] --- --- <bugzilla%jaimem.org.uk> --- And why not hide the second line (email address) for logged out users (suggested in another bug). I will let justdave close this bug, either dupe or wontfix.

*** This bug has been marked as a duplicate of 179622 ***

v. dupe