From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=CTE_8BIT_MISMATCH,DMARC_NONE, FREEMAIL_FROM,MAILING_LIST_MULTI,PP_MIME_FAKE_ASCII_TEXT autolearn=no autolearn_force=no version=4.0.0 Received: from hotmail.com (f203.law14.hotmail.com [64.4.21.203]) by chiba.3jane.net (Postfix) with ESMTP id 365E7ABD58 for ; Sun, 16 Jun 2002 19:02:21 -0500 (CDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 16 Jun 2002 17:01:20 -0700 Received: from 24.202.234.238 by lw14fd.law14.hotmail.msn.com with HTTP; Mon, 17 Jun 2002 00:01:20 GMT X-Originating-IP: [24.202.234.238] From: "Faust Tanasescu" To: gentoo-dev@gentoo.org Subject: Re: [gentoo-dev] RFP: System to account users configurations Date: Sun, 16 Jun 2002 20:01:20 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 17 Jun 2002 00:01:20.0904 (UTC) FILETIME=[1C99B880:01C21592] Sender: gentoo-dev-admin@gentoo.org Errors-To: gentoo-dev-admin@gentoo.org X-BeenThere: gentoo-dev@gentoo.org X-Mailman-Version: 2.0.6 Precedence: bulk Reply-To: gentoo-dev@gentoo.org List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux developer list List-Unsubscribe: , List-Archive: X-Archives-Salt: 50fa6e68-78f8-4d70-8303-1e83efd4edbc X-Archives-Hash: 9114a04d1defc6ecde6097e16663040d I'm thinking of lots of glue, a perl script for client and https server on gentoo.org to allow SSL (secure socket layer) communication between client/server. It's a fresh approach to solve just this problem... Well fresh is relative here ;) Here's a link http://developer.netscape.com/docs/manuals/security/sslin/contents.htm >From: Rufiao >Reply-To: gentoo-dev@gentoo.org >To: gentoo-dev@gentoo.org >Subject: Re: [gentoo-dev] RFP: System to account users configurations >Date: Sun, 16 Jun 2002 20:11:37 -0300 > > >The abuse of this kind of system should be taken into account, since it may >be quite easy for someone to create a bot (or whatever) capable of feeding >the system with fake data, and by consequence destroy its reputation. > >However, I agree this issue should not complicate the system setup. There >are problems with the approach I've described, in particular for users who >maintain more than a couple of Gentoo boxes (it may be inconvenient even >for people who run more than one machine, due to the fact it's necessary to >have one key per machine). > >Debian's popularity-contest uses SMTP as its transport, both to avoid the >need for constant internet connection and to have some means to ensure the >identity of every contributing machine. I'm not sure SMTP can help on the >identification of users at all, and it may complicate the setup even more >for users who don't have local MTA spools set (and which want to >participate but don't have constant connectivity), so I've discarded it. > >Also, using the machine's IP addresses as a measure of abuse (by >investigating how many posts occur for a given address) may lead to bad >results, since some users have more than one machine under a 1:n NAT. > >In the end, it may be better to simply avoid the signup, and use some >'loose' approach, which is to ask the user's e-mail to be used just in the >case of abuse detection (of course a 'bad' user could provide a fake e-mail >address, but in this case, after the detection of abuse and a unsucessful >attempt to contact the user, all his provided data can be set to be >automatically rejected by the server-side system). > >But it may happen there's a better approach for this whole problem.. Any >thoughts? > >On Sun, 16 Jun 2002 17:12:52 -0400 >"Faust Tanasescu" wrote: > > > >From: Rufiao > > >Reply-To: gentoo-dev@gentoo.org > > >To: gentoo-dev@gentoo.org > > >Subject: [gentoo-dev] RFP: System to account users configurations > > >Date: Sun, 16 Jun 2002 17:16:21 -0300 >[...] > > > > > >In the client side, the procedure to provide data for the system is the > > >following: > > > > > >- User emerge the package, which: > > > - Sets a crontab entry to let the system run periodically, possibly > > > requiring user intervention to specify when the system should run > > > - Points to an URL (in the gentoo.org domain) for signup > > >- User go to the provided url, which requests the e-mail from the user, >and > > > that the user transcribe a random 4-letters message shown as an >image to > > > a text box. These requirements are used to ensure, as long as >possible, > > > the autenticity of the data and to avoid automated signups > > > > Users are required to 1) want to participate to this survey 2) asked >when > > system should run information grab 3) go to URL to subscribe to service >4) > > get magic key from server 5) set up client system 6) check it runs well. > > > > We don't have many users and setup is very complicated to my taste for > > somethng that brings nothing to me as a gentoo user. And we want people >to > > sue this. the more, the better. > > I don't know about this, but as a gentoo user, if a system like this >were > > available I would not bother installing it. It is way too lenghty and I >get > > nothing out of it as an individual. > > > > I propose making this whole process a lot simpler for the client. What >we > > must keep in mind is that no system is perfect, and to not fall into > > paranoia. I therefore propose shortening the setup of this survey system >to > > something smaller. > > > > 1) user required to emerge package. > > 2) they are asked when the collect should run > > > > and that's it > > > > now how to keep people from abusing of this system is a whole new >question > > and I think we should treat it separately. However I'd like to propose > > something as well. > > > > it's the server's duty to protect itself from idiots. When client >connects > > to server to upload it's information file, the server sends the client a > > unique key that expires after 1 week or couple days.. depends on how >often > > we want input. If client tries to send input again it could remove the >key > > file of course and claim it's new to the service, that's why the >submitter's > > IP address needs to be recorded for first-time users as well. > > > > Of course system is not perfect... the idiot could change his IP >address of > > course no problemo ... he could disconnect/reconnectto his ISP or >something > > similar but that would be rael stupid. I don't think that many people >would > > actually attempt that. > > > > I think that the person who would attempt this, if it's ever going to > > happen, it's because our user base has grown very, very large and his >impact > > would be minimal to our system. > > > > > > This is just an idea.. i'm sure there are better... >_______________________________________________ >gentoo-dev mailing list >gentoo-dev@gentoo.org >http://lists.gentoo.org/mailman/listinfo/gentoo-dev _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com