From: "Faust Tanasescu" <faust_tanasescu@hotmail.com>
To: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] RFP: System to account users configurations
Date: Sun, 16 Jun 2002 20:01:20 -0400 [thread overview]
Message-ID: <F203h9IdDJLyyErMLrE000033ef@hotmail.com> (raw)
I'm thinking of lots of glue, a perl script for client and https server on
gentoo.org to allow SSL (secure socket layer) communication between
client/server. It's a fresh approach to solve just this problem... Well
fresh is relative here ;)
Here's a link
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
>From: Rufiao <rufiao@gmx.net>
>Reply-To: gentoo-dev@gentoo.org
>To: gentoo-dev@gentoo.org
>Subject: Re: [gentoo-dev] RFP: System to account users configurations
>Date: Sun, 16 Jun 2002 20:11:37 -0300
>
>
>The abuse of this kind of system should be taken into account, since it may
>be quite easy for someone to create a bot (or whatever) capable of feeding
>the system with fake data, and by consequence destroy its reputation.
>
>However, I agree this issue should not complicate the system setup. There
>are problems with the approach I've described, in particular for users who
>maintain more than a couple of Gentoo boxes (it may be inconvenient even
>for people who run more than one machine, due to the fact it's necessary to
>have one key per machine).
>
>Debian's popularity-contest uses SMTP as its transport, both to avoid the
>need for constant internet connection and to have some means to ensure the
>identity of every contributing machine. I'm not sure SMTP can help on the
>identification of users at all, and it may complicate the setup even more
>for users who don't have local MTA spools set (and which want to
>participate but don't have constant connectivity), so I've discarded it.
>
>Also, using the machine's IP addresses as a measure of abuse (by
>investigating how many posts occur for a given address) may lead to bad
>results, since some users have more than one machine under a 1:n NAT.
>
>In the end, it may be better to simply avoid the signup, and use some
>'loose' approach, which is to ask the user's e-mail to be used just in the
>case of abuse detection (of course a 'bad' user could provide a fake e-mail
>address, but in this case, after the detection of abuse and a unsucessful
>attempt to contact the user, all his provided data can be set to be
>automatically rejected by the server-side system).
>
>But it may happen there's a better approach for this whole problem.. Any
>thoughts?
>
>On Sun, 16 Jun 2002 17:12:52 -0400
>"Faust Tanasescu" <faust_tanasescu@hotmail.com> wrote:
>
> > >From: Rufiao <rufiao@gmx.net>
> > >Reply-To: gentoo-dev@gentoo.org
> > >To: gentoo-dev@gentoo.org
> > >Subject: [gentoo-dev] RFP: System to account users configurations
> > >Date: Sun, 16 Jun 2002 17:16:21 -0300
>[...]
> > >
> > >In the client side, the procedure to provide data for the system is the
> > >following:
> > >
> > >- User emerge the package, which:
> > > - Sets a crontab entry to let the system run periodically, possibly
> > > requiring user intervention to specify when the system should run
> > > - Points to an URL (in the gentoo.org domain) for signup
> > >- User go to the provided url, which requests the e-mail from the user,
>and
> > > that the user transcribe a random 4-letters message shown as an
>image to
> > > a text box. These requirements are used to ensure, as long as
>possible,
> > > the autenticity of the data and to avoid automated signups
> >
> > Users are required to 1) want to participate to this survey 2) asked
>when
> > system should run information grab 3) go to URL to subscribe to service
>4)
> > get magic key from server 5) set up client system 6) check it runs well.
> >
> > We don't have many users and setup is very complicated to my taste for
> > somethng that brings nothing to me as a gentoo user. And we want people
>to
> > sue this. the more, the better.
> > I don't know about this, but as a gentoo user, if a system like this
>were
> > available I would not bother installing it. It is way too lenghty and I
>get
> > nothing out of it as an individual.
> >
> > I propose making this whole process a lot simpler for the client. What
>we
> > must keep in mind is that no system is perfect, and to not fall into
> > paranoia. I therefore propose shortening the setup of this survey system
>to
> > something smaller.
> >
> > 1) user required to emerge package.
> > 2) they are asked when the collect should run
> >
> > and that's it
> >
> > now how to keep people from abusing of this system is a whole new
>question
> > and I think we should treat it separately. However I'd like to propose
> > something as well.
> >
> > it's the server's duty to protect itself from idiots. When client
>connects
> > to server to upload it's information file, the server sends the client a
> > unique key that expires after 1 week or couple days.. depends on how
>often
> > we want input. If client tries to send input again it could remove the
>key
> > file of course and claim it's new to the service, that's why the
>submitter's
> > IP address needs to be recorded for first-time users as well.
> >
> > Of course system is not perfect... the idiot could change his IP
>address of
> > course no problemo ... he could disconnect/reconnectto his ISP or
>something
> > similar but that would be rael stupid. I don't think that many people
>would
> > actually attempt that.
> >
> > I think that the person who would attempt this, if it's ever going to
> > happen, it's because our user base has grown very, very large and his
>impact
> > would be minimal to our system.
> >
> >
> > This is just an idea.. i'm sure there are better...
>_______________________________________________
>gentoo-dev mailing list
>gentoo-dev@gentoo.org
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev
_________________________________________________________________
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
next reply other threads:[~2002-06-17 0:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-17 0:01 Faust Tanasescu [this message]
2002-06-17 0:12 ` [gentoo-dev] RFP: System to account users configurations Rufiao
-- strict thread matches above, loose matches on Subject: below --
2002-06-16 21:12 Faust Tanasescu
2002-06-16 23:11 ` Rufiao
2002-06-18 10:37 ` George Shapovalov
2002-06-16 20:16 Rufiao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F203h9IdDJLyyErMLrE000033ef@hotmail.com \
--to=faust_tanasescu@hotmail.com \
--cc=gentoo-dev@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox