-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2012 02:45 AM, Ewoud Kohl van Wijngaarden wrote: > On Wed, Jan 25, 2012 at 10:17:43AM +0200, Itamar Heim wrote: >> On 01/25/2012 06:03 AM, Karsten 'quaid' Wade wrote: >>> On 01/24/2012 03:40 PM, Ewoud Kohl van Wijngaarden wrote: >>>> I have no experience with mediawiki + openid myself, but >>>> maybe giving it a go and monitor it would be good enough for >>>> now. >>>> >>>> Possible downsides: - Spammers use openid to spam >>>> >>>> Possible upsides: - More open to new people - People can use >>>> a single account for both gerrit and the wiki >>>> >>>> Since the wiki edits are also shown on IRC I think spam would >>>> be caught fast enough and in the worst case the change could >>>> be reverted. >>> >>> That's a good point, the wiki edits are watched that way more >>> carefully. >>> >>> What would our reaction be if we started to see spam edits via >>> OpenID accounts? >>> >>> * Can we easily disable those accounts? * Would we revert to >>> not using OpenID? ** Sometimes spammers seem to be doing >>> test-spam on a wiki, so a few scattered edits might be >>> preparation for an onslaught. >>> >>> Also consider all this in terms of who is taking care of the >>> wiki. We don't (yet?) have enough individuals or a team that >>> seem to be taking on any wiki management tasks. >>> >>> So a spamming situation could rally such folks, but it could >>> also kill the energy while in the crib by overwhelming it with >>> spam pages from incrementally more spam accounts. >>> >>> I'm reacting a bit here to e.g. more wiki pages being >>> incorrectly named than not, so a lot of wiki gardening required >>> still. OTOH, I am very much in favor of lowering barriers as >>> much as we can. I'd like to proceed with this discussion and >>> just figure out a way to counterbalance the risks, etc. >> >> can we separate the openid support for authentication (so people >> can user same user/password) from authorization (can an openid >> account do something)? >> >> so we would still have the process of an existing user has to >> give edit permissions to an openid user? > That could be a mitigation in case we do get spammers. > > I'm wondering how wikipedia handles this since that's an open wiki > using the same software. Using an extension for authentication > makes us a non-standard target and thus harder.
AIUI, a large part is the legion of volunteers who revert spam edits. All of the protection tools, such as Captchas, are reportedly cracked by spammers. > I think it's important, if not vital, for an open source project to > have a low barrier to join. Making it easy to do small fixes on the > wiki could help get people more involved. This I do agree with, and wrote in to The Open Source Way handbook: https://www.theopensourceway.org/wiki/How_to_loosely_organize_a_community#Use_lightweight.2C_open_collaboration_tools_-_wikis.2C_mailing_lists.2C_IRC.2C_version_control.2C_bug_trackers_-_and_give_out_access ... and then as a project, struggle with how to handle the wiki auth. (Short URL of above: http://bit.ly/TOSWOpenTooling ) > So in short I think using openid authentication and open > authorization will benefit the project at an acceptable risk of > spammers. If we do notice spammers we can switch to user > authorization with manual approval of users or in the worst case > fully disable openid and revert to the current workflow. Are you able to volunteer to help with wiki gardening? In specific, keeping things cleaned up if we do get a spammer - reverting changes, deleting accounts, etc. If we can get enough of us to watch things with commitment, then I'm much more comfortable with the idea of rolling out OpenID. - - Karsten - -- name: Karsten 'quaid' Wade, Sr. Community Architect team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPIHWI2ZIOBq0ODEERAiioAJ96Cc0ZKm7ZvnaFfQAnrHhvla0e9wCdG4c4 AIOT2IIfTrJ8qtN47c96hcw= =D3ho -----END PGP SIGNATURE----- _______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
