Re: [gentoo-dev] [RFC] Anti-spam for goose
Hi all, I believe that we are all have forgotten about Donald Knuth: Premature optimisation is the root of all evill. We don't have "spam" yet, but we are already trying to protect. There might be cases when some systems will be posting stats more often than we want, but probably that will not harm us. Or this will be done by our main users who runs 1kk of gentoo installations and this "spam" will be actually valuable. Moreover, nobody forces us to treat info from 'goose' as first priority, so we are still able to select on which packages to work. In short: this topic is not so important yet, I think. Viktar On Thu, May 21, 2020, 16:28 Jaco Kroon wrote: > Hi Michał, > > On 2020/05/21 13:02, Michał Górny wrote: > > On Thu, 2020-05-21 at 12:45 +0200, Jaco Kroon wrote: > >> Even for v4, as an attacker ... well, as I'm sitting here right now I've > >> got direct access to almost a /20 (4096 addresses). I know a number of > >> people with larger scopes than that. Use bot-nets and the scope goes up > >> even more. > > See how unfair the world is! You are filling your bathtub with IP > > addresses, and my ISP has taken mine only recently. > I must admit, I work for an ISP :$ > >>> Option 3: explicit CAPTCHA > >>> == > >>> A traditional way of dealing with spam -- require every new system > >>> identifier to be confirmed by solving a CAPTCHA (or a few > identifiers > >>> for one CAPTCHA). > >>> > >>> The advantage of this method is that it requires a real human work > >>> to be > >>> performed, effectively limiting the ability to submit spam. > >>> > >> Yea. One would think. CAPTCHAs are massively intrusive and in my > >> opinion more effort than they're worth. > >> > >> This may be beneficial to *generate* a token. In other words - when > >> generating a token, that token needs to be registered by way of capthca. > >> > >>> Other ideas > >>> === > >>> Do you have any other ideas on how we could resolve this? > >>> > >> Generated token + hardware based hash. > > How are you going to verify that the hardware-based hash is real, > > and not just a random value created to circumvent the protection? > > So the generation of the hash is more to validate that it's still on the > same installation (ie, not a cloned token). Sorry if that wasn't clear, > so trying to solve two possible problems in one go. > > > > >> Rate limit the combination to 1/day. > >> > >> Don't use included results until it's been kept up to date for a minimum > >> period. Say updated at least 20 times 30 days. > > For privacy reasons, we don't correlate the results. So this is > > impossible to implement. > > Ok, but a token cannot (unless we issue it based on an email based > account) be linked back to a specific user, so does it matter if we > associate uploads with a token? > > >> The downside here is that many machines are not powered up at least once > >> a day to be able to perform that initial submission sequence. So > >> perhaps it's a bit stringent. > > Exactly. Even once a week is a bit risky but once a day is too narrow > > a period. > > > > To some degree, we could decide we don't care about exact numbers > > as much as some degree of weighed proportions. This would mean that, > > say, people who submit daily get the count of 7, at the loss of people > > who don't run their machines that much. It would effectively put more > > emphasis on more active users. It's debatable whether this is desirable > > or not. > Decaying averages. Simple to implement, don't need all historic data. > > > > Both the token and hardware hash can of course be tainted and is under > >> "attacker control". > > Exactly. So it really looks like exercise for the sake of exercise. > > Unless tokens are *issued* as per the rest of my email you snipped > away. Wherein I proposed an issuing of both anonymous and non-anonymous > tokens. > > Kind Regards, > Jaco > > >
Re: [gentoo-dev] Last standing Python 2.7 dependency
Hi all, I'd also like to clean my system and have it Python 2.7 free. Are there any guidelines to check which packages are still using pyton2_7 in my system? Thanks, Viktar On Fri, May 1, 2020 at 7:50 PM Michał Górny wrote: > On Fri, 2020-05-01 at 14:45 -0300, José de Paula Rodrigues wrote: > > Hi all, > > > > I've cleared my system from Python 2.7 almost entirely, with the sole > > exception being dev-lang/python-exec, which relies on a hack to absorb > all > > possible Python versions in python-utils-r1.eclass. Shouldn't python2_7 > be > > removed from _PYTHON_ALL_IMPLS there? > > > > python-exec does not depend on the Python interpreter, so you can > depclean it. > > -- > Best regards, > Michał Górny > >
Re: [gentoo-dev] Re: [gentoo-dev-announce] Last rites: net-proxy/mitmproxy
Sam, Let me know if you are experiencing any issues or need assistance. I also want to save this package and can help. Thanks, Viktar On Sun, Apr 19, 2020 at 10:34 PM Sam James wrote: > I’ll try look at this. > > > > On 19 Apr 2020, at 21:05, Michał Górny wrote: > > > > # Michał Górny (2020-04-19) > > # Unmaintained. Stuck on Python 3.6. Needs version bump. > > # Removal in 30 days. Bug #718458. > > net-proxy/mitmproxy > > > > -- > > Best regards, > > Michał Górny > > > > >
Re: [gentoo-dev] No Java Team, Java neglect was -> Reverse use of Python/Ruby versions
Hi All, My name is Viktar and I'm an experienced Java developer. I'm using Gentoo as my primary system for a past 5-6 years, so I do know a little bit about it. I even tried to become a Gentoo Dev, but due to lack of time haven't completed training course. That's it for introduction. I feel really sorry for Gentoo Java project not having appropriate attention and I'm volunteering to help solving most important and critical issues as a proxy maintainer. Please let me know who I should coordinate with. Thanks, Viktar On Tue, Apr 11, 2017 at 12:18 PM, Kristian Fiskerstrandwrote: > On 04/10/2017 11:54 PM, William L. Thomson Jr. wrote: > > Sadly a vocal minority surely does. If most get past others perception > > of me, insults, and all around the way I am seen. Then most would > > realize what ever they think about me, is horribly incorrect. I am very > > different than I may seem. Almost no one around here knows me. There > > are a few who have met me. > > I've mostly stayed out of this discussion, but it seems to be reaching > more on personal discussions than topical matters now so I suggest that > everyone takes a step back, a breath of fresh air and keep the topics to > matters that can actually benefit Gentoo. > > William; We've all heard what you're saying ad nauseam, and although the > current thread is really within the pure boundries of allowed > discussions, several people have complained about spamming of the lists. > > You're saying that nobody really knows you, have you considered spending > some time to reflect on how you present yourself on this mailing list > and other communication channels? Maybe taking another few minutes > writing an email can get your message across in a way that seems more > constructive? Pure volume and repetition of issues surely doesn't > benefit anyone, and quickly becomes boring. > > -- > Kristian Fiskerstrand > OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > > On Tue, Apr 11, 2017 at 12:18 PM, Kristian Fiskerstrand wrote: > On 04/10/2017 11:54 PM, William L. Thomson Jr. wrote: > > Sadly a vocal minority surely does. If most get past others perception > > of me, insults, and all around the way I am seen. Then most would > > realize what ever they think about me, is horribly incorrect. I am very > > different than I may seem. Almost no one around here knows me. There > > are a few who have met me. > > I've mostly stayed out of this discussion, but it seems to be reaching > more on personal discussions than topical matters now so I suggest that > everyone takes a step back, a breath of fresh air and keep the topics to > matters that can actually benefit Gentoo. > > William; We've all heard what you're saying ad nauseam, and although the > current thread is really within the pure boundries of allowed > discussions, several people have complained about spamming of the lists. > > You're saying that nobody really knows you, have you considered spending > some time to reflect on how you present yourself on this mailing list > and other communication channels? Maybe taking another few minutes > writing an email can get your message across in a way that seems more > constructive? Pure volume and repetition of issues surely doesn't > benefit anyone, and quickly becomes boring. > > -- > Kristian Fiskerstrand > OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > >