Currently, when we create an account, we set it up, and mail the password (to ensure that the user really owns that account) If the user makes a typo, that means that we end up with a valid account, which can never be used. Instead, we should create a token which expires in n days (1-2 ?) which ahs to be confirmed before an entry is made in teh profiles table. From endico on irc, there are 48890 accounts, but only 19158 distinct reporters, and 21976 distinct people who have made a comment. Even if you assume that noone who has made a comment has ever filed a bug (which is really really really unlikely), that still leaves us with about 20% of accounts who have never done either. So unless there is another class of users I've forgotton about, this accounts for a large number of people, and so this would also be worth doing. This also ensures that the postmaster doesn't get bounces from incorrect emails, and that you can't cc a user (and thus give them spam mail) before their account is activated. We'd obviously then have to check the tokens table for these sort of email adressess, just like we currently check them for email changes in progress.
*** This bug has been marked as a duplicate of 87795 ***