Sylvain Petreolle wrote:
- Login is mandatory otherwise you cant read bugs.
Its too bad, you cant see if a bug already exists before openeing an account nor follow a link to a bug.
I think it's ok to require login to read bugs. This is the only effective defence against rampaging robots.
I recently created a web page about how to triage OpenOffice.org bugs (http://www.kegel.com/openoffice/), and even though I stuck <meta name="robots" content="nofollow"> in the head, I think spambots are hammering the openoffice issuezilla server and make the current slowdowns worse.
Plus there's the matter of all those email addresses. Requiring login helps shield the email addresses in bugzilla from spambots.
So hip hip hooray for the upgrade from this developer, restrictive access and all. - Dan
A better alternative would be not to show the email at all, not even in obfuscated style. no email shown at all, only names => no robots.
When I created my account on bugzilla, my question was : why give email as a username ?
I think it's ok to require login to read bugs. This is the only effective defence against rampaging robots.
-snip-
Plus there's the matter of all those email addresses. Requiring login helps shield the email addresses in bugzilla from spambots.
So hip hip hooray for the upgrade from this developer, restrictive access and all.
- Dan
-- Dan Kegel http://www.kegel.com http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=78045
===== Sylvain Petreolle (spetreolle at users dot sourceforge dot net) ICQ #170597259 No more War !
"What if tomorrow the War could be over ?" Morpheus, in "Reloaded".
For the Law of Oil and Fire, Im an European that lives in France. For all my Brothers and friends, Im a human living on Earth.
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
When I created my account on bugzilla, my question was : why give email as a username ?
That's for good reasons, mostly that people can more easily remember their email address than some random username, and it's guaranteed to be unique. All the web apps I produce/produced use that technique.
It does mean that for public services you have to be careful about exposing the email address in public of course though. That shouldn't be hard to add to bugzilla.
Sylvain Petreolle wrote:
A better alternative would be not to show the email at all, not even in obfuscated style. no email shown at all, only names => no robots.
No, the robots would still be there, potentially querying the heck out of the database and causing slowdowns for real users (as I said in the part you snipped out, openoffice.org's issuezilla is seeing this happen). While I agree that obscuring email addresses is something that should be done, it doesn't help with the load placed on the query engine by robots blindly following canned query links like those on http://kegel.com/openoffice without regard for the robot exclusion protocol. - Dan
Dan Kegel wrote:
canned query links like those on http://kegel.com/openoffice without regard for the robot exclusion protocol.
- Dan
Personally, I think setting up robot traps is better than blocking everyone. You know the drill - a 1x1 picture link with a "on click" that prevents it from being ever clicked. Anyone accessing that link is marked as a robot, and no queries from that IP are honored for half an hour. All dynamic pages return a caned response "Sorry, no robots allowed past this point".
Shachar
Personally, I think setting up robot traps is better than blocking everyone. You know the drill - a 1x1 picture link with a "on click" that prevents it from being ever clicked. Anyone accessing that link is marked as a robot, and no queries from that IP are honored for half an hour. All dynamic pages return a caned response "Sorry, no robots allowed past this point".
Shachar
Won't it block offline web downloaders? (sometimes used by modem users)
Hatky.
__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
hatky wrote:
Won't it block offline web downloaders? (sometimes used by modem users)
Hatky.
If they have no way of logging in, then it would, but so would require log in in order to view queries. If they can log in, we can unblock this case (i.e. - access a hidden link, and you can only view the database if you are logged in).
I'm not sure letting a modem user download the entire database is a good idea, though.
Shachar
These issuezilla pages actually dont hide em@i.l adresses, "assigned to", "additional comments" and "reporter" have direct links to em@i.l adresses. The 'reassign issue to' should be empty too.
No, the robots would still be there, potentially querying the heck out of the database and causing slowdowns for real users (as I said in the part you snipped out, openoffice.org's issuezilla is seeing this happen). While I agree that obscuring em@i.l
addresses
is something that should be done, it doesn't help with the load placed on the query engine by robots blindly following canned query links like those on http://kegel.com/openoffice without regard for the robot exclusion protocol.
- Dan
===== Sylvain Petreolle (spetreolle at users dot sourceforge dot net) ICQ #170597259 No more War !
"What if tomorrow the War could be over ?" Morpheus, in "Reloaded".
For the Law of Oil and Fire, Im an European that lives in France. For all my Brothers and friends, Im a human living on Earth.
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
On May 17, 2003 12:51 pm, Dan Kegel wrote:
So hip hip hooray for the upgrade from this developer, restrictive access and all.
I am sorry, but I think this is a *terrible* idea. Bugzilla is already hard enough to use, this will simply kill it but for a small select group of hard core users == useless. The fact that you can't simply link to it from other pages (such as the Fun/ToDo/etc.) without registration should be a pretty big hint about it's uselessness.
As for the spam, I am sorry, I think it's all blown out of proportion. I get a *ton* of spam, and I don't think it's justifiable to impose such draconian policies on _everybody_, simply because you can't deal with spam. There are other ways to handle it: Spam Assassin, use a different email for wine-related mail, etc.
Bottom line is that this is a *big* usability step backwards, and I would strongly ask that it be reversed. There's no evidence that emails in Bugzilla are being harvested, and even if they were, there's nothing to suggests tools can't deal with them. And for people that still have problems, they can use a wine-specific email for it -- but this makes it their choice, not something unilaterally imposed of everybody.
I personally liked the idea of restricting access to login accounts. But, Dimi is right, we need to be able to link to bug reports from other pages. So, the restricted access is now disabled in bugzilla.
Also, there has been reports of some bugs loosing descriptions. Since the upgrade process is not reversible there is not much I can do about it. So this is a call for everyone to go through and check the bugs you submitted. If there is no desc, please re-enter one in the bug report. Don't submit them to me, I'll just ignore requests to fix individual bugs.
Also, don't ask me to add anything to the bugzilla code. If you want a feature in bugzilla, submit it to the main bugzilla page at: http://www.bugzilla.org/ If they include your feature I will put it in when the next stable build of bugzilla comes out. The most I will do is customize the look and feel via the new bugzilla template system. Any other changes I do always get lost when I upgrade to newer bugzilla builds.
On May 19, 2003 11:08 am, Jeremy Newman wrote:
Also, there has been reports of some bugs loosing descriptions. Since the upgrade process is not reversible there is not much I can do about it. So this is a call for everyone to go through and check the bugs you submitted. If there is no desc, please re-enter one in the bug report. Don't submit them to me, I'll just ignore requests to fix individual bugs.
The first 3 bugs I've looked at had no history whatsoever. And it's a pity, because they had quite a bit of info. I'm not sure how big the problem is, but it's very troubling that it did happen. And how did it happen on only _some_ bugs???
Dimitrie O. Paun wrote:
On May 19, 2003 11:08 am, Jeremy Newman wrote:
Also, there has been reports of some bugs loosing descriptions. Since the upgrade process is not reversible there is not much I can do about it. So this is a call for everyone to go through and check the bugs you submitted. If there is no desc, please re-enter one in the bug report. Don't submit them to me, I'll just ignore requests to fix individual bugs.
The first 3 bugs I've looked at had no history whatsoever. And it's a pity, because they had quite a bit of info. I'm not sure how big the problem is, but it's very troubling that it did happen. And how did it happen on only _some_ bugs???
Yes, in fact I have yet to find any bugs that do have the history. Maybe there are some, but there seems to have been a major problem. I don't think it can be fixed by simply re-entering the data.
Jeremy, are you sure the descriptions are irremediably lost and its not a display / query bug ? Tons of bugs are concerned with this problem, and now I see that attachments were lost too.
To know our "fate" : if the descriptions were deleted, there must be a lot of free space in the database. (dont know anything about bugzilla engine though)
Also, there has been reports of some bugs loosing descriptions. Since the upgrade process is not reversible there is not much I can do about it. So this is a call for everyone to go through and check the bugs you submitted. If there is no desc, please re-enter one in the bug report. Don't submit them to me, I'll just ignore requests to fix individual bugs.
===== Sylvain Petreolle (spetreolle at users dot sourceforge dot net) ICQ #170597259 No more War !
"What if tomorrow the War could be over ?" Morpheus, in "Reloaded".
For the Law of Oil and Fire, Im an European that lives in France. For all my Brothers and friends, Im a human living on Earth.
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
On Tue, 2003-05-20 at 07:28, Sylvain Petreolle wrote:
Jeremy, are you sure the descriptions are irremediably lost and its not a display / query bug ? Tons of bugs are concerned with this problem, and now I see that attachments were lost too.
I doubt the upgrade process would have deleted any rows from the DB. Its more likely that the keys that link the tables together are botched. I will look at the data a little later to see if I can do anything about it.
Dimitrie O. Paun wrote:
I am sorry, but I think this is a *terrible* idea. Bugzilla is already hard enough to use, this will simply kill it but for a small select group of hard core users == useless. The fact that you can't simply link to it from other pages (such as the Fun/ToDo/etc.) without registration should be a pretty big hint about it's uselessness.
? I don't follow. You *can* link to it. If a new user clicks on the link, they should be taken to a registration page; once they've registered, they should be taken to where they wanted to go. And they should never be bothered about registering again, or at least until the cookie expires. Doesn't seem too high impact to me.
As for the spam, I am sorry, I think it's all blown out of proportion. I get a *ton* of spam, and I don't think it's justifiable to impose such draconian policies on _everybody_, simply because you can't deal with spam. There are other ways to handle it: Spam Assassin, use a different email for wine-related mail, etc.
I've got SpamAssassin, and it's not enough. Just now I checked my email, and in the 12 hours since last I checked it, I got about 50 spams that made it *through SpamAssassin*. I run Mozilla's bayesian filtering as a second level of defence, and that blocked all but 12 spams, but it's a big CPU hog on my 450Mhz machine. Note also that the volume of spam is doubling once every six months (http://www.esecurityplanet.com/trends/print.php/2175751), which means that even if it's not a pain for you now, it will be soon.
Bottom line is that this is a *big* usability step backwards, and I would strongly ask that it be reversed. There's no evidence that emails in Bugzilla are being harvested, and even if they were, there's nothing to suggests tools can't deal with them. And for people that still have problems, they can use a wine-specific email for it -- but this makes it their choice, not something unilaterally imposed of everybody.
Having to use a different email for every purpose is a big usability step backwards, and it's not something all users are capable of, believe it or not.
I'm afraid that in the months to come, you'll see anti-spam proposals that will make the issue of registering to see the bug database look mild by comparison. - Dan
On May 19, 2003 12:31 pm, Dan Kegel wrote:
I've got SpamAssassin, and it's not enough. Just now I checked my email, and in the 12 hours since last I checked it, I got about 50 spams that made it *through SpamAssassin*.
From other reports on the list, I'm almost sure these are not comming
from wine-harvested emails. You can easily do a wine@kegel.com. I'd be curious to see how much spam you get on than email alone, if you post it only on wine-*@winehq.org and Wine Bugzilla.
Dimitrie O. Paun wrote:
On May 19, 2003 12:31 pm, Dan Kegel wrote:
I've got SpamAssassin, and it's not enough. Just now I checked my email, and in the 12 hours since last I checked it, I got about 50 spams that made it *through SpamAssassin*.
From other reports on the list, I'm almost sure these are not comming
from wine-harvested emails. You can easily do a wine@kegel.com. I'd be curious to see how much spam you get on than email alone, if you post it only on wine-*@winehq.org and Wine Bugzilla.
I can certainly create a wine@kegel.com, but my Aunt Tillie can't, and she might well want to file a bug report without getting innundated. Also, switching identities every time I want to post to Wine mailing lists is something I probably can't remember to do. (I know my limits.)
Since you're advocating the idea, could you try it out and post the results? Just use wine-dpaun@rogers.com or something like that every time you post to a wine list for the next few months, and let's see whether you get any spams at that address. - Dan
On May 19, 2003 12:47 pm, Dan Kegel wrote:
Since you're advocating the idea, could you try it out and post the results? Just use wine-dpaun@rogers.com or something like that every time you post to a wine list for the next few months, and let's see whether you get any spams at that address.
Well, I don't know if you've noticed, but I've been posting on wine-devel from two addresses: dimi@intelliware..., and dpaun@rogers... since Jan of this year. It's been more than 4 month, and as a matter of fact I've also posted on the binutils list as well from my dimi@intelliware.ca, so I don't know where the address got harvested, but it does give an upper bound. Here is the situation:
-- I read my mail from work and from home. At work I read my mail from 9:30 to 18:00, and there I delete all spam, so I can't account for it. But I can tell you I don't get much. If spam would be evenly distributed, I should get roughly 1/3 during business hours, but it's far less than that. But since we're looking for an upper bound, we can work with 1/3. -- At home all mail I delete go to the trash folder in kmail, so here I can count.
This being the case, in the last month (which should be the worse, because it takes time to harvest the address, etc.) I could count about 20 spams on that address (dimi@intelliware...). If we assume I've deleted 1/3, this gives at most 30 spam mail per month, or an average of 1 per day. And for what it's worth, all _very_ simple to filter out: Viagra, "Copy Any DVD - With a CD Burner", $10000, etc.
Dimitrie O. Paun wrote:
an average of 1 per day (to my wine-devel only email address)
Look far enough ahead, and you'll see that even this is a problem. Given the spam doubling time of 6 months, in about three years you'll be getting 100 a day due to wine-devel harvesting.
- Dan
Again, there is no evidence of wine-devel harvesting.
--- Dan Kegel dank@kegel.com a écrit :
Dimitrie O. Paun wrote:
an average of 1 per day (to my wine-devel only email address)
Look far enough ahead, and you'll see that even this is a problem. Given the spam doubling time of 6 months, in about three years you'll be getting 100 a day due to wine-devel harvesting.
===== Sylvain Petreolle (spetreolle at users dot sourceforge dot net) ICQ #170597259 No more War !
"What if tomorrow the War could be over ?" Morpheus, in "Reloaded".
For the Law of Oil and Fire, Im an European that lives in France. For all my Brothers and friends, Im a human living on Earth.
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
On Monday 19 May 2003 03:03 pm, Sylvain Petreolle wrote:
Again, there is no evidence of wine-devel harvesting.
FWIW, I used my e-mail for some time almost exclusively on wine-devel and experienced a shockingly low amount of spam for several months. I was kind of surprised by it. OTOH, even if it isn't happening now, I would say it's safe to assume it will happen sooner or later, and any inconveniences caused by such changes... well, personally I don't mind tolerating such things, even if its a preemptive measure.
Have you tried to open an account with this mail provider, not using it at all ? Many tests were done like this one for others... and they prove that it receives spam.
FWIW, I used my e-mail for some time almost exclusively on wine-devel and experienced a shockingly low amount of spam for several months. I was kind of surprised by it. OTOH, even if it isn't happening now, I would say it's safe to assume it will happen sooner or later, and any inconveniences caused by such changes... well, personally I don't mind tolerating such things, even if its a preemptive measure.
===== Sylvain Petreolle (spetreolle at users dot sourceforge dot net) ICQ #170597259 No more War !
"What if tomorrow the War could be over ?" Morpheus, in "Reloaded".
For the Law of Oil and Fire, Im an European that lives in France. For all my Brothers and friends, Im a human living on Earth.
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
Dan Kegel wrote:
Since you're advocating the idea, could you try it out and post the results? Just use wine-dpaun@rogers.com or something like that every time you post to a wine list for the next few months, and let's see whether you get any spams at that address.
- Dan
I'll save Dimi the trouble.
No spams for wine-users. No spams for wine-bugzilla. Obviously, no spam for wine-announce. Very little spam for the wine code changelog (I'm not sure whether it's taken from the code or from the wine-patches archives, though), and quite a bit of spam to my old wine-devel email. A few months ago I switched to a new domain, and I recorded no spam to the new address. Please note that I have also started to use spam filters, so it may just be that I'm too lazy to check every spam that arrives, to see what email address it was sent to.
Shachar
Dimitrie O. Paun wrote:
From other reports on the list, I'm almost sure these are not comming from wine-harvested emails. You can easily do a wine@kegel.com. I'd be curious to see how much spam you get on than email alone, if you post it only on wine-*@winehq.org and Wine Bugzilla.
Quite a few, really. Those are not from bugzilla, however.
This is not the point, though. The original point was that the spam robots took too much CPU from the database engine. Against that, either require login or start with techniques such as the one I described above. Jeremy's point is well taken, though. Putting a non-clickable link into the template is easy. Blocking the resulting IPs from getting to the database require bugzilla code maintanance, which is more than J is willing to do.
Removing the emails from the database (I'm in favour, myself. I suggest removing everything but the TLD, so my email for this list would become wine-devel@shemesh) would solve the spam harvesting problem as far as end users are concerned, but not as far as load on the database is concerned.
Shachar
-
Dan Kegel -
Dimitrie O. Paun -
Duane Clark -
Gregory M. Turner -
hatky -
Jeremy Newman -
Mike Hearn -
Shachar Shemesh -
Sylvain Petreolle