Re: Abuse prevention
On Tue, Nov 20, 2018 at 05:37:33PM +0200, Dan Haiduc wrote:
> Hello,
>
> As far as I could tell from searching through the mailing list [1],
> and through glancing through the examples subdirectory, there is an
> abuse prevention system such that a host ID that stops appearing is
> excluded from statistics.
Hello Dan,
Actually, this is not so much an abuse prevention system than the only
way to remove stale information while preserving anonymity.
> Since this could be circumvented by a malicious user (they could
> simply report multiple times with spoofed MD5 IDs), is there any other
> mechanism to prevent abuse, such as IP rate-limiting?
No.
> My guess is that the threat model doesn't warrant it. There is not
> much material gain in spoofing one's free-software package to the top.
>
> I am asking because the F-Droid community is considering implementing
> a similar popularity-contest model, in order to recommend
> free-software Android packages. We would love to know if you need to
> prevent abuse at all.
No. Problem we have are rather:
1) People cloning systems without regard to popcon leading to several
systems having the same popcon ID which leads to submissions being
discarded (each time a submission is receive the previous one with the
same popcon ID is discarder).
2) Too many people trying to submit at the exact same time (perhaps
because of 1) which cause the web server to timeout.
3) Corrupted reports (either in transit or from corrupted drive) and
a very small number of manually edited reports.
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Reply to: