How is spam a problem in a shoes-only interface? Don't spammers only
operate on the web?
They're hardly going to code up a special adaptor for the spam bots
just to spam poor _why, and I doubt many spammers would install shoes
just to spam the manual. We don't need to even make the comments
visible on the web interface. I feel like the web interface is a nice
thing to have, but should act as a lowest common denominator for what
we can do in the manual.
Another option would be to force comments through the web UI to be
confirmed through an email link, though overall I feel it's a good
thing to require people to use shoes for this task, because at least
then we know that the commentator actually has and uses shoes. I don't
see what benifit HMAC gives when the key is embedded in to open source.
The real trouble would probably come from prankster shoobies looking
to cause some havoc with their newfound skills. One way to work around
that would be to store a unique identifier, perhaps generated by the
uuid gem, the first time they run shoes. It could be sent with their
comments, or for extra awesome bonus points, we could even force the
sending of this ID via an X-Shoes-ID header on outgoing http requests
that use the ajaxy functionality within shoes, so anyone simply
wrapping the code that sends comments in the manual in an 500.times
{ ... } loop would have all the requests identified to the server. In
this way, if rebel shoobies ever did become a problem, be simple
enough to rate limit on the server side off this ID. If they're
persistent enough to recode the spambot using net/http, well, sucks to
be us then. :P
One fun side effect of always using the ID in requests is that the
subsequent spammy comments could be totally hidden from everyone else,
while when their shoes requests the list of comments, it appears they
successfully spammed the place. Mmmmm, nice warm trickery.
The HMACy response challengey thing has me thinking now though... We
could write a block of really heavily compressed & obfusicated code
(camping style!) which no newbie would have a chance in heck of being
able to read and modify, which could act as a kind of secret cypher
for challenging the client. Not sure what use it would be, but sure
could be fun to code. :)
