Re: Debian WWW CVS commit by joy: webwml/english/CD/vendors adding-form.wml
On Wed, Apr 18, 2007 at 10:34:56AM +0200, Richard Atterer wrote:
> > > I'm interested! :)
> > I'd be happy to add you to the cdvendors alias, just send me the
> > preferred address.
> Please use email@example.com - thanks!
You're added :)
> There will be no submission "From:" if people use the web form.
Yes, the form can fix that problem, but it also means that www-data can be
abused to mass-spam the list archives. Granted, that can probably be curbed
fairly easily by adding various anti-spam measures into the CGI script.
I implemented several anti-spam measure already in the script. First off,
it requires various fields to include various kinds of input (it untaints
all variables), so bots cramming http:// links everywere will be stopped.
I also did one final check which is to fetch the designated URL for Debian
products at the vendor site and see if it has the string Debian on it.
If not, it's probably HTML FORM spam. (This has a potential to DoS master or
some other site or both if someone generates too many of those requests, but
I think it should be acceptable, or at least manageable.)
> > I hear you on the "select club" issue. Currently, the mails are received
> > at master and archived at www-master, and that machine isn't available
> > to all developers to log into - AFAIR? This way, someone needs to be
> > both a developer and has to request the login privilege over there in
> > order to read the old mailbox which is located at
> > /org/www.debian.org/mail/cdvendors Are those two hurdles too much?
> IMHO, yes. I didn't know where to find the cdvendors mbox, nor that there
> was an archive at all.
> I think it's more likely that someone else picks up the job if they are a
> regular debian-www subscriber and see lots of unprocessed vendor requests.
There are different fixes for that problem. We can make the script send a
short info mail to debian-www@lists whenever it sends a full submission to
cdvendors@. Also, we can probably set up a cron job that would monitor the
cdvendors database and notify us if there's a backlog.
(We should probably have such reminder thingies in the first place... *shrug*)
> *shrug* But you could also make the submission script output a message
> which tells the submitter to contact firstname.lastname@example.org if their request is
> not processed within a week or two.
Yeah, but that's just relaying the problem over to the submitter, which is
2. That which causes joy or happiness.