Hey folks.
So, a few weeks back I noticed some spam projects on pagure.io. So, I cleaned up about 165 of them and deactivated 165 spam users.
Now, I see there's another pile of them. :(
So, I started to look at cleaning things up again, but I think we need a better solution that doesn't involve admins manually cleaning things up. ;( Additionally, the clean up is not really very scripted and takes a long time to do.
So, thoughts on a longer term solution? I can think of a few:
1. only allow fedora 'contributors' to make new projects. (ie, people in at least one non cla/non base ipa group Pros: - Would very likely cut off the spam or at least cut it way down. - Might be easy to implement? (not sure tho!) Cons: - Would block legit people who aren't fedora contributors.
2 Some kind of moderation for new projects Pros: - Would let non fedora folks make new projects. - Would likely cut spam Cons: - Would require someone to moderate things - Would requite us to make some kind of moderation code
3. A script to do all the cleanup so we could do it easier and some kind of 'bad words' blocklist we could put in place to stop obvious spammers (most of these are bogus "exam answers" ones) Pros: - Will cut down on spam some, but not fully. Cons: - Will have to write the script and implement the blocklist - It's likely spammers will use different words over time and avoid the block.
Or perhaps someone has further clever ideas? Happy to hear em. ;)
kevin
Do we allow people to login without Fedora account?
If not I don't see any issue to go with solution #1.
Michal
On 25. 04. 23 23:17, Kevin Fenzi wrote:
Hey folks.
So, a few weeks back I noticed some spam projects on pagure.io. So, I cleaned up about 165 of them and deactivated 165 spam users.
Now, I see there's another pile of them. :(
So, I started to look at cleaning things up again, but I think we need a better solution that doesn't involve admins manually cleaning things up. ;( Additionally, the clean up is not really very scripted and takes a long time to do.
So, thoughts on a longer term solution? I can think of a few:
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group Pros:
- Would very likely cut off the spam or at least cut it way down.
- Might be easy to implement? (not sure tho!)
Cons:
- Would block legit people who aren't fedora contributors.
2 Some kind of moderation for new projects Pros:
- Would let non fedora folks make new projects.
- Would likely cut spam
Cons:
- Would require someone to moderate things
- Would requite us to make some kind of moderation code
- A script to do all the cleanup so we could do it easier and some kind
of 'bad words' blocklist we could put in place to stop obvious spammers (most of these are bogus "exam answers" ones) Pros:
- Will cut down on spam some, but not fully.
Cons:
- Will have to write the script and implement the blocklist
- It's likely spammers will use different words over time and avoid the block.
Or perhaps someone has further clever ideas? Happy to hear em. ;)
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
We do not, so that's fine. I would rather people be able to login and report issues, fork, and contribute without the FPCA requirement, though.
On Wed, Apr 26, 2023 at 7:15 AM Michal Konecny mkonecny@redhat.com wrote:
Do we allow people to login without Fedora account?
If not I don't see any issue to go with solution #1.
Michal
On 25. 04. 23 23:17, Kevin Fenzi wrote:
Hey folks.
So, a few weeks back I noticed some spam projects on pagure.io. So, I cleaned up about 165 of them and deactivated 165 spam users.
Now, I see there's another pile of them. :(
So, I started to look at cleaning things up again, but I think we need a better solution that doesn't involve admins manually cleaning things up. ;( Additionally, the clean up is not really very scripted and takes a long time to do.
So, thoughts on a longer term solution? I can think of a few:
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group Pros:
- Would very likely cut off the spam or at least cut it way down.
- Might be easy to implement? (not sure tho!)
Cons:
- Would block legit people who aren't fedora contributors.
2 Some kind of moderation for new projects Pros:
- Would let non fedora folks make new projects.
- Would likely cut spam
Cons:
- Would require someone to moderate things
- Would requite us to make some kind of moderation code
- A script to do all the cleanup so we could do it easier and some kind
of 'bad words' blocklist we could put in place to stop obvious spammers (most of these are bogus "exam answers" ones) Pros:
- Will cut down on spam some, but not fully.
Cons:
- Will have to write the script and implement the blocklist
- It's likely spammers will use different words over time and avoid the block.
Or perhaps someone has further clever ideas? Happy to hear em. ;)
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Regarding the #3, how do you find spam projects now? Could the script do the same?
Michal
On 25. 04. 23 23:17, Kevin Fenzi wrote:
Hey folks.
So, a few weeks back I noticed some spam projects on pagure.io. So, I cleaned up about 165 of them and deactivated 165 spam users.
Now, I see there's another pile of them. :(
So, I started to look at cleaning things up again, but I think we need a better solution that doesn't involve admins manually cleaning things up. ;( Additionally, the clean up is not really very scripted and takes a long time to do.
So, thoughts on a longer term solution? I can think of a few:
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group Pros:
- Would very likely cut off the spam or at least cut it way down.
- Might be easy to implement? (not sure tho!)
Cons:
- Would block legit people who aren't fedora contributors.
2 Some kind of moderation for new projects Pros:
- Would let non fedora folks make new projects.
- Would likely cut spam
Cons:
- Would require someone to moderate things
- Would requite us to make some kind of moderation code
- A script to do all the cleanup so we could do it easier and some kind
of 'bad words' blocklist we could put in place to stop obvious spammers (most of these are bogus "exam answers" ones) Pros:
- Will cut down on spam some, but not fully.
Cons:
- Will have to write the script and implement the blocklist
- It's likely spammers will use different words over time and avoid the block.
Or perhaps someone has further clever ideas? Happy to hear em. ;)
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Here is my thoughts on this :
Implement community moderation: Allow the community of users on pagure.io to help moderate and flag spam projects and users. This could be done through a reporting system or through user-driven flagging mechanisms that alert administrators to potentially problematic projects.
Increase the frequency of automated clean-up scripts: Increasing the frequency of these scripts could help keep the site cleaner and reduce the need for manual intervention by administrators.
On Wed, Apr 26, 2023 at 8:38 AM Michal Konecny mkonecny@redhat.com wrote:
Regarding the #3, how do you find spam projects now? Could the script do the same?
Michal
On 25. 04. 23 23:17, Kevin Fenzi wrote:
Hey folks.
So, a few weeks back I noticed some spam projects on pagure.io. So, I cleaned up about 165 of them and deactivated 165 spam users.
Now, I see there's another pile of them. :(
So, I started to look at cleaning things up again, but I think we need a better solution that doesn't involve admins manually cleaning things up. ;( Additionally, the clean up is not really very scripted and takes a long time to do.
So, thoughts on a longer term solution? I can think of a few:
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group Pros:
- Would very likely cut off the spam or at least cut it way down.
- Might be easy to implement? (not sure tho!)
Cons:
- Would block legit people who aren't fedora contributors.
2 Some kind of moderation for new projects Pros:
- Would let non fedora folks make new projects.
- Would likely cut spam
Cons:
- Would require someone to moderate things
- Would requite us to make some kind of moderation code
- A script to do all the cleanup so we could do it easier and some kind
of 'bad words' blocklist we could put in place to stop obvious spammers (most of these are bogus "exam answers" ones) Pros:
- Will cut down on spam some, but not fully.
Cons:
- Will have to write the script and implement the blocklist
- It's likely spammers will use different words over time and avoid the block.
Or perhaps someone has further clever ideas? Happy to hear em. ;)
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to
infrastructure-leave@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi -
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group [...] Cons:
- Would block legit people who aren't fedora contributors.
The other positive edge of that sword could be giving them an incentive to become fedora contributors at least at some level.
- FChE
On Wed, Apr 26, 2023 at 01:38:05PM +0200, Michal Konecny wrote:
Regarding the #3, how do you find spam projects now? Could the script do the same?
I find them manually. Go to pagure.io, browse projects and sort by 'most recent'. About 99% of the first 4-5 pages are clearly spam. They are either of the form: 'something something certs' with descriptions like ' 100% Actual Exam Questions for Best Results' or 'username' description 'exam' and tons of issues with the spam by username.
So, I am not sure we could script a detection super easily. Or if we did they wouldn't just adjust...
On Wed, Apr 26, 2023 at 11:15:51AM -0300, Leon Khan wrote:
Here is my thoughts on this :
Implement community moderation: Allow the community of users on pagure.io to help moderate and flag spam projects and users. This could be done through a reporting system or through user-driven flagging mechanisms that alert administrators to potentially problematic projects.
That would indeed be great, but it would need implementing the way to do that. Would need voting for projects and some way to flag and still admins would have to delete stuff. ;(
Increase the frequency of automated clean-up scripts: Increasing the frequency of these scripts could help keep the site cleaner and reduce the need for manual intervention by administrators.
There's currently 0 automated cleanup. :) It's completely manual, which is what I am saying we need to fix. We would need to write scripts and... I am not sure how automated we could make it. :( but open to ideas...
On Wed, Apr 26, 2023 at 10:59:58AM -0400, Frank Ch. Eigler wrote:
Hi -
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group [...] Cons:
- Would block legit people who aren't fedora contributors.
The other positive edge of that sword could be giving them an incentive to become fedora contributors at least at some level.
Perhaps.
So, it's sounding like putting the restriction back in place that you be a contributor to make new projects has reasonable appeal?
We will need to investigate how to do that. Might also need code changes?
kevin
On Tue, Apr 25, 2023 at 02:17:34PM -0700, Kevin Fenzi wrote:
Hey folks.
So, a few weeks back I noticed some spam projects on pagure.io. So, I cleaned up about 165 of them and deactivated 165 spam users.
I took out a few a week or so ago, but not as many, I'm impressed :)
Now, I see there's another pile of them. :(
So, I started to look at cleaning things up again, but I think we need a better solution that doesn't involve admins manually cleaning things up. ;( Additionally, the clean up is not really very scripted and takes a long time to do.
So, thoughts on a longer term solution? I can think of a few:
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group Pros:
- Would very likely cut off the spam or at least cut it way down.
- Might be easy to implement? (not sure tho!)
Cons:
- Would block legit people who aren't fedora contributors.
That might be the easiest as iirc, it's a simple config change (like the one we had before enforcing fpca on src.fp.o).
2 Some kind of moderation for new projects Pros:
- Would let non fedora folks make new projects.
- Would likely cut spam
Cons:
- Would require someone to moderate things
- Would requite us to make some kind of moderation code
Another con: - will require code change
- A script to do all the cleanup so we could do it easier and some kind
of 'bad words' blocklist we could put in place to stop obvious spammers (most of these are bogus "exam answers" ones) Pros:
- Will cut down on spam some, but not fully.
Cons:
- Will have to write the script and implement the blocklist
- It's likely spammers will use different words over time and avoid the block.
We had basset in the past and always had in mind to hook pagure into it, but we decommissioned basset before we hooked pagure into it :/
Pierre
On Wed, 26 Apr 2023 at 07:17, Kevin Fenzi kevin@scrye.com wrote:
Hey folks.
So, a few weeks back I noticed some spam projects on pagure.io. So, I cleaned up about 165 of them and deactivated 165 spam users.
Now, I see there's another pile of them. :(
So, I started to look at cleaning things up again, but I think we need a better solution that doesn't involve admins manually cleaning things up. ;( Additionally, the clean up is not really very scripted and takes a long time to do.
So, thoughts on a longer term solution? I can think of a few:
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group Pros:
- Would very likely cut off the spam or at least cut it way down.
- Might be easy to implement? (not sure tho!)
Cons:
- Would block legit people who aren't fedora contributors.
This is my top pick!
Had a quick look at the pagure code, and this looks like we will have to add some additional logic for this to work (not necessarily difficult, but it’s not just a config change)
Afaict, there is no logic to restrict creating new repos (other than turning it off completely). Additionally. The logic that restricts FPCA is done at the login phase. So unless we want to restrict login to FPCA+1 (which I’m not suggesting) it will take a bigger (but not that bad) of a fix to get working.
2 Some kind of moderation for new projects Pros:
- Would let non fedora folks make new projects.
- Would likely cut spam
Cons:
- Would require someone to moderate things
- Would requite us to make some kind of moderation code
- A script to do all the cleanup so we could do it easier and some kind
of 'bad words' blocklist we could put in place to stop obvious spammers (most of these are bogus "exam answers" ones) Pros:
- Will cut down on spam some, but not fully.
Cons:
- Will have to write the script and implement the blocklist
- It's likely spammers will use different words over time and avoid the block.
Or perhaps someone has further clever ideas? Happy to hear em. ;)
Would trying to curtail bots registering on the Fedora Accounts side be an option here too?
Cheers, Ryanlerch
kevin _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Wed, Apr 26, 2023 at 6:26 PM Ryan Lerch rlerch@redhat.com wrote:
On Wed, 26 Apr 2023 at 07:17, Kevin Fenzi kevin@scrye.com wrote:
Hey folks.
So, a few weeks back I noticed some spam projects on pagure.io. So, I cleaned up about 165 of them and deactivated 165 spam users.
Now, I see there's another pile of them. :(
So, I started to look at cleaning things up again, but I think we need a better solution that doesn't involve admins manually cleaning things up. ;( Additionally, the clean up is not really very scripted and takes a long time to do.
So, thoughts on a longer term solution? I can think of a few:
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group Pros:
- Would very likely cut off the spam or at least cut it way down.
- Might be easy to implement? (not sure tho!)
Cons:
- Would block legit people who aren't fedora contributors.
This is my top pick!
Had a quick look at the pagure code, and this looks like we will have to add some additional logic for this to work (not necessarily difficult, but it’s not just a config change)
Afaict, there is no logic to restrict creating new repos (other than turning it off completely). Additionally. The logic that restricts FPCA is done at the login phase. So unless we want to restrict login to FPCA+1 (which I’m not suggesting) it will take a bigger (but not that bad) of a fix to get working.
I'm happy to review contributions for this. The CI finally works again, so if the tests fail in a PR, at least it's actionable. :)
-- 真実はいつも一つ!/ Always, there's only one truth!
On Thu, Apr 27, 2023 at 08:25:48AM +1000, Ryan Lerch wrote:
This is my top pick!
The one reason why I don't like this choice is that pagure.io was supposed to be distribution agnostic. Just an open source forge. Thats why you see 'fedora-infrastructure' and 'fedora-kickstarts' and such as early project names, to make sure they indicated they were for fedora.
But that said, I am not sure that this distinction really matters too much these days.
if there's someone that wants a new project, but isn't a contributor in fedora they can ask us (or indeed any contributor) to add it for them.
Had a quick look at the pagure code, and this looks like we will have to add some additional logic for this to work (not necessarily difficult, but it’s not just a config change)
yeah. ;(
Afaict, there is no logic to restrict creating new repos (other than turning it off completely). Additionally. The logic that restricts FPCA is done at the login phase. So unless we want to restrict login to FPCA+1 (which I’m not suggesting) it will take a bigger (but not that bad) of a fix to get working.
yeah, I think we do not want to require fpca to login again. The spammers would likely just agree to it, and we don't really need to care what open source license people want to contribute to their projects.
Would trying to curtail bots registering on the Fedora Accounts side be an option here too?
I don't think so, or at least it would be harder. A lot of times I think these things are initially setup by a human or group of humans, then they spew the spam via script... but I guess I don't know that for sure...
kevin
On 25-04-2023 23:17, Kevin Fenzi wrote:
So, thoughts on a longer term solution? I can think of a few:
- only allow fedora 'contributors' to make new projects. (ie, people in
at least one non cla/non base ipa group Pros:
- Would very likely cut off the spam or at least cut it way down.
- Might be easy to implement? (not sure tho!)
Cons:
- Would block legit people who aren't fedora contributors.
I think the pros weigh out the cons and it's the least troublesome option to implement, it seems.
The way I look at pagure.io is as a Fedora service. It even says so next to the logo (Fedora Pagure). In that regard I don't find it strange/restrictive that you need to be a contributor for being able to create new projects. If you aren't and don't want to sign the FPCA, you can always ask someone, who is a contributor.
-- Sandro
infrastructure@lists.fedoraproject.org