Re: new contributor annoyances (was Re: Interesting learnings about Guix contributor dynamics that apply to Debian?)
Julien Plissonneau Duquène <sre4ever@free.fr> writes:
> I would first try to improve the Salsa registration process. I
> understand the need to prevent recurrent abuse, but the current manual
> approval process with its delay and lack of feedback when things go
> wrong is likely to discourage casual contributors, as what could have
> been done in a few minutes now requires attention over multiple hours or
> days.
I would be worried about dropping the manual approval due to the sheer
volume of sophisticated automated spam account creation attacks on any
sort of authentication process with automatic sign-up.
Right now, we are in the enviable position where there is essentially no
spam via Salsa. I have seen what the level of spam looks like with an
automated sign-up process, and it would probably make me disable all of my
Salsa notifications, which would be a shame for other reasons. The only
way that companies like GitHub claw their way back from that is by having
a substantial anti-abuse team and a lot of constantly-tweaked automation
to detect and defeat spam. It is very, very easy for anything on the
Internet with public automated registration to immediately drown in SEO
spam.
Maybe there are more effective defenses than I am aware of (captcha
methods are definitely not sufficient in my experience) that we would fall
back on, and if the Salsa admins feel like this wouldn't be a problem, I
would definitely yield to their much greater experience. But it's real bad
out there in ways that I think the larger sites mostly hide because they
put a lot of resources into spam detection and prevention that we don't
have.
-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>
Reply to: