public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Faust Tanasescu" <faust_tanasescu@hotmail.com>
To: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] RFP: System to account users configurations
Date: Sun, 16 Jun 2002 20:01:20 -0400	[thread overview]
Message-ID: <F203h9IdDJLyyErMLrE000033ef@hotmail.com> (raw)

I'm thinking of lots of glue, a perl script for client and https server on 
gentoo.org to allow SSL (secure socket layer) communication between  
client/server. It's a fresh approach to solve just this problem... Well 
fresh is relative here ;)

Here's a link
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm



>From: Rufiao <rufiao@gmx.net>
>Reply-To: gentoo-dev@gentoo.org
>To: gentoo-dev@gentoo.org
>Subject: Re: [gentoo-dev] RFP: System to account users configurations
>Date: Sun, 16 Jun 2002 20:11:37 -0300
>
>
>The abuse of this kind of system should be taken into account, since it may 
>be quite easy for someone to create a bot (or whatever) capable of feeding 
>the system with fake data, and by consequence destroy its reputation.
>
>However, I agree this issue should not complicate the system setup. There 
>are problems with the approach I've described, in particular for users who 
>maintain more than a couple of Gentoo boxes (it may be inconvenient even 
>for people who run more than one machine, due to the fact it's necessary to 
>have one key per machine).
>
>Debian's popularity-contest uses SMTP as its transport, both to avoid the 
>need for constant internet connection and to have some means to ensure the 
>identity of every contributing machine. I'm not sure SMTP can help on the 
>identification of users at all, and it may complicate the setup even more 
>for users who don't have local MTA spools set (and which want to 
>participate but don't have constant connectivity), so I've discarded it.
>
>Also, using the machine's IP addresses as a measure of abuse (by 
>investigating how many posts occur for a given address) may lead to bad 
>results, since some users have more than one machine under a 1:n NAT.
>
>In the end, it may be better to simply avoid the signup, and use some 
>'loose' approach, which is to ask the user's e-mail to be used just in the 
>case of abuse detection (of course a 'bad' user could provide a fake e-mail 
>address, but in this case, after the detection of abuse and a unsucessful 
>attempt to contact the user, all his provided data can be set to be 
>automatically rejected by the server-side system).
>
>But it may happen there's a better approach for this whole problem.. Any 
>thoughts?
>
>On Sun, 16 Jun 2002 17:12:52 -0400
>"Faust Tanasescu" <faust_tanasescu@hotmail.com> wrote:
>
> > >From: Rufiao <rufiao@gmx.net>
> > >Reply-To: gentoo-dev@gentoo.org
> > >To: gentoo-dev@gentoo.org
> > >Subject: [gentoo-dev] RFP: System to account users configurations
> > >Date: Sun, 16 Jun 2002 17:16:21 -0300
>[...]
> > >
> > >In the client side, the procedure to provide data for the system is the
> > >following:
> > >
> > >- User emerge the package, which:
> > >   - Sets a crontab entry to let the system run periodically, possibly
> > >     requiring user intervention to specify when the system should run
> > >   - Points to an URL (in the gentoo.org domain) for signup
> > >- User go to the provided url, which requests the e-mail from the user, 
>and
> > >   that the user transcribe a random 4-letters message shown as an 
>image to
> > >   a text box. These requirements are used to ensure, as long as 
>possible,
> > >   the autenticity of the data and to avoid automated signups
> >
> > Users are required to 1) want to participate to this survey 2) asked 
>when
> > system should run information grab 3) go to URL to subscribe to service 
>4)
> > get magic key from server 5) set up client system 6) check it runs well.
> >
> > We don't have many users and setup is very complicated to my taste for
> > somethng that brings nothing to me as a gentoo user. And we want people 
>to
> > sue this. the more, the better.
> > I don't know about this, but as a gentoo user, if a system like this 
>were
> > available I would not bother installing it. It is way too lenghty and I 
>get
> > nothing out of it as an individual.
> >
> > I propose making this whole process a lot simpler for the client. What 
>we
> > must keep in mind is that no system is perfect, and to not fall into
> > paranoia. I therefore propose shortening the setup of this survey system 
>to
> > something smaller.
> >
> > 1) user required to emerge package.
> > 2) they are asked when the collect should run
> >
> > and that's it
> >
> > now how to keep people from abusing of this system is a whole new 
>question
> > and I think we should treat it separately. However I'd like to propose
> > something as well.
> >
> > it's the server's duty to protect itself from idiots. When client 
>connects
> > to server to upload it's information file, the server sends the client a
> > unique key that expires after 1 week or couple days.. depends on how 
>often
> > we want input. If client tries to send input again it could remove the 
>key
> > file of course and claim it's new to the service, that's why the 
>submitter's
> > IP address needs to be recorded for first-time users as well.
> >
> > Of course system  is not perfect... the idiot could change his IP 
>address of
> > course no problemo ... he could disconnect/reconnectto his ISP or 
>something
> > similar but that would be rael stupid. I don't think that many people 
>would
> > actually attempt that.
> >
> > I think that the person who would attempt this, if it's ever going to
> > happen, it's because our user base has grown very, very large and his 
>impact
> > would be minimal to our system.
> >
> >
> > This is just an idea.. i'm sure there are better...
>_______________________________________________
>gentoo-dev mailing list
>gentoo-dev@gentoo.org
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com



             reply	other threads:[~2002-06-17  0:02 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-17  0:01 Faust Tanasescu [this message]
2002-06-17  0:12 ` [gentoo-dev] RFP: System to account users configurations Rufiao
  -- strict thread matches above, loose matches on Subject: below --
2002-06-16 21:12 Faust Tanasescu
2002-06-16 23:11 ` Rufiao
2002-06-18 10:37   ` George Shapovalov
2002-06-16 20:16 Rufiao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=F203h9IdDJLyyErMLrE000033ef@hotmail.com \
    --to=faust_tanasescu@hotmail.com \
    --cc=gentoo-dev@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox