daniels changed the topic of #freedesktop to: https://www.freedesktop.org infrastructure and online services || for questions about freedesktop.org projects, please see each project's contact || for discussions about specifications, please use https://gitlab.freedesktop.org/xdg or xdg@lists.freedesktop.org
<whot>
i've disabled wkrsemails.com fro signing up now, that seems like 99% of the recently created ones
privacy has joined #freedesktop
<whot>
huh, and apparently that has no effect on signups
<whot>
karolherbst: ruby rails console: counting 51k users in the last 7 days from wrksemails.com...
DragoonAethis has quit [Quit: hej-hej!]
DragoonAethis has joined #freedesktop
<kode54>
you typed a different domain each time
<kode54>
wrks vs wkrs
<whot>
yeah, first one was a typo :)
<whot>
it is wrks but none of the wildcard combinations I tried seem to have any effect, they still sign up
<kode54>
maybe they're signing up with one address, then immediately changing it to another?
<kode54>
in which case, you'll need to log what they're registering with
<whot>
I don't think so based on the admin page for the users, but I can't find the logs for this in grafana
<whot>
so not 100% that's what's happening
Kayden has joined #freedesktop
<whot>
no, judging by the grafana logs gitlab still happily allows that domain and will send confirmation emails to it
<HansDR>
Hi. Can anyone tell me how to contact the admin for gitlab.freedeskopt.org? I want to submit a merge request to virglrenderer, but need to be able to fork the repository first.
<HansDR>
Thanks. That's exactly what I was looking for.
AbleBacon has quit [Read error: Connection reset by peer]
privacy has quit [Quit: Leaving]
mrpops2ko has joined #freedesktop
<whot>
ok, found it. for some reason our domain allowlist was set to * and the deny list doesn't take effect if anything matches the allowlist. so we allowed... everything
<whot>
and numbers: 30k new users since 1 may, of which 27k came from 5 domains
<whot>
that number is after I ran a batch job to delete *a lot* which gitlab is still working on, so could've been a lot higher
<whot>
either way, a new spam account every 30s on average
todi1 has quit [Remote host closed the connection]
ximion has quit [Quit: Detached from the Matrix]
wbooze has quit [Ping timeout: 480 seconds]
GNUmoon has quit [Remote host closed the connection]
GNUmoon has joined #freedesktop
todi has joined #freedesktop
todi has quit [Remote host closed the connection]
blatant has joined #freedesktop
Inline has joined #freedesktop
Inline is now known as wbooze
<daniels>
whot: oh, thanks for figuring that out - I had been wondering why the denylist didn't do anything :\
todi has joined #freedesktop
todi has quit []
<karolherbst>
whot: I wonder when we'll reach the point of just disabling email sign ups alltogether, though maybe the bots are smart enough to do social logins....
elaurent has joined #freedesktop
todi has joined #freedesktop
<whot>
karolherbst: it's an arms race, can't win either way
<karolherbst>
yeah, fair
<whot>
daniels: I was a bit nervous removing that for fear of disabling everything...
<karolherbst>
maybe we should just detect if a domain has that many signups in an hour to just block it and send an email to admins?
<whot>
but we're ack to the more sane 1 spam accounts per hour rather than per 30s
<karolherbst>
could have a script run every hour if that's not too expensive
<whot>
https://paste.centos.org/view/e48883eb that's the list of domains used to sign up since 1 may. not sure the others are worth or even easy to detect
<whot>
pretty sure sarah and jennifer are part of the same script...
<whot>
karolherbst: we have a bunch of scripts runnig as cronjobs already to wipe the users, so running an extra one wouldn't be that hard
<karolherbst>
yeah.. then I guess that's the best we could do if it's easy to automate it
mrpops2ko has quit [Remote host closed the connection]
mrpops2ko has joined #freedesktop
<whot>
you can get the data with an admin token via the rest api/graphql (though the latter doesn't include all emails for some reason) so this could be done from the outside even
scrumplex has joined #freedesktop
scrumplex_ has quit [Ping timeout: 480 seconds]
f_ has joined #freedesktop
elaurent has quit [Ping timeout: 480 seconds]
aradhya7 has quit [Quit: Connection closed for inactivity]
<daniels>
I wonder if this is something we should publish more publicly?
<emersion>
in a more visible place? or in a news feed of some kind? (mastodon?)
elaurent has joined #freedesktop
<daniels>
emersion: yeah, more visible to people who don't either follow the wiki RSS or poll the page every day I guess :P
elaurent has quit [Ping timeout: 480 seconds]
todi has quit []
todi has joined #freedesktop
guludo has joined #freedesktop
<Consolatis>
<whot> either way, a new spam account every 30s on average
<Consolatis>
seems the captcha works great then (while still making life worse for legit users)
luca_ has joined #freedesktop
<daniels>
Consolatis: sarcastic criticism is one of the best motivators anyone could ask for
<Consolatis>
touché. its the one thing remaining for me as somebody who has no say in the operations of the fdo gitlab instance
<Consolatis>
I already mentioned in the past the whole strategy of the fdo gitlab against spam is kind of pointless IMHO. Making signup harder will also reduce the onboarding of new legit volunteers but doesn't solve the spam issue as you can just rent some clickfarm. Instead, the reason that spammers sign up should be fought against. E.g. make every non-official project / fork / gist visible to logged-in users only. Same for comments of "untrusted" users.
<Consolatis>
then spammers can sign up all they want and they get nothing out of it
elaurent has joined #freedesktop
luca_ has quit []
Hooloovoo has joined #freedesktop
Hoolootwo has quit [Ping timeout: 480 seconds]
<karolherbst>
daniels: I was also wondering that about the maintainer guidelines there
<karolherbst>
but if we could use the xorg mastodon/whatever account for that stuff that would be great
<karolherbst>
Consolatis: they just post comments on the main repos then
<karolherbst>
or file issues
<Consolatis>
> Same for comments of "untrusted" users.
<karolherbst>
sooo...
<karolherbst>
users can't file bugs anymore?
<Consolatis>
sure they can, but you can only see them when logged in
<karolherbst>
it's just a technical limitation of gitlab
<karolherbst>
so you need to create an account and log in before you can see if the bug you just see is already being handled/fixed? sounds like inconveniencing users to me
<karolherbst>
but anyway
<karolherbst>
either way is bad for somebody
<daniels>
^
<karolherbst>
and the root cause for this is, that people thought LLMs are a fun idea, and now we all have to deal with nonsense AI spam bots 🤷 I wished we wouldn't have to, but so is life
<Consolatis>
^ members of official projects are by definition not "untrusted" so their comments would be visible to anybody, even without login
<karolherbst>
yeah, but good luck implementing it inside gitlab
<karolherbst>
we don't have the time for that
<karolherbst>
you are free to add those things to gitlab
<Consolatis>
so gitlab does not provide any option to make comments require login to see?
<karolherbst>
correct
<karolherbst>
at least not afaik
<Consolatis>
got it, thanks
<karolherbst>
moderation is super limited in gitlab already
<karolherbst>
and there are more pressing issues to deal with first regardless
privacy has joined #freedesktop
MrCooper has quit [Remote host closed the connection]
MrCooper has joined #freedesktop
ximion has joined #freedesktop
vx has quit [Quit: G-Line: User has been permanently banned from this network.]
vx has joined #freedesktop
elaurent has quit [Remote host closed the connection]
kxkamil has quit []
kxkamil has joined #freedesktop
blatant has quit [Quit: WeeChat 4.2.2]
<DragoonAethis>
Hmmm, how about having mandatory external approval for all new accounts?
<DragoonAethis>
Automated, but custom, so that bots don't know how to break it by default (it doesn't have to be good, just annoying enough for spammers not to bother)
<daniels>
that’s where we are tbh
<DragoonAethis>
Ah, and it's still this bad, nvm then
Kayden has quit [Quit: -> JF]
mrpops2ko has quit []
<dcbaker>
Do we have the GraphQL API enabled?
<daniels>
yep
<dcbaker>
Cool, thanks
<daniels>
np
AbleBacon has joined #freedesktop
alanc has quit [Remote host closed the connection]
alanc has joined #freedesktop
ximion has quit [Quit: Detached from the Matrix]
ximion has joined #freedesktop
wbooze has quit [Quit: Leaving]
Inline has joined #freedesktop
Inline is now known as Guest5382
Guest5382 is now known as Inline
Inline is now known as wbooze
Haaninjo has joined #freedesktop
mrpops2ko has joined #freedesktop
samuelig has quit []
samuelig has joined #freedesktop
wbooze has quit [Quit: Leaving]
lsd|2 has joined #freedesktop
guludo has quit [Ping timeout: 480 seconds]
guludo has joined #freedesktop
Inline has joined #freedesktop
Inline is now known as wbooze
guludo has quit []
guludo has joined #freedesktop
Kayden has joined #freedesktop
Haaninjo has quit [Quit: Ex-Chat]
wbooze has quit [Ping timeout: 480 seconds]
KDDLB has joined #freedesktop
Inline has joined #freedesktop
Inline is now known as wbooze
f_ has quit [Ping timeout: 480 seconds]
sima has quit [Ping timeout: 480 seconds]
samuelig has quit [Quit: Bye!]
samuelig has joined #freedesktop
<whot>
Consolatis: afaict the vast majority of those users did nothing but sign up and occupy resources, only few had a profile (which we scrub anyway) so I'm not quite sure what the point of all those was.
<whot>
Consolatis: maybe "create 5000 users and one with a spam link in the hope no-one notices", maybe they did try to post spam but got blocked, etc.
<whot>
Consolatis: either way, aside from the user creation there is very little spam that makes it through to our users so right now we're doing the right thing. because in the end, that's what we care about the most, not having every issue/pr spammed
<whot>
karolherbst: i don't think there's been any AI bots yet, so far it's been standard spam only
<whot>
DragoonAethis: external approval for new accounts means someone has to weed through hundreds of "i want a new account" emails and you're likely to miss the real ones. right now we allow for creation but purge regularly those users who don't do anything
<whot>
it's annoying enough to keep up with the "please allow me to fork" requests and there's only a few of those a day
wbooze has quit [Quit: Leaving]
lsd|2 has quit [Ping timeout: 480 seconds]
mvlad has quit [Remote host closed the connection]
lsd|2 has joined #freedesktop
zxrom has quit []
<karolherbst>
whot: nah.. some of the bots replied in a very "I'm a user and have some valueable contribution to this issue" way, but then just had random links in it
<karolherbst>
next time I see it, I could screenshot it
<karolherbst>
but a few of those really feel AI like
<whot>
karolherbst: I deleted a few of those (they do get caught by the spam checker) and they look much like cookie-cutter. I'd expect an AI to put more effort in than that :)
infernix has joined #freedesktop
Kayden has quit [Quit: home]
privacy has quit [Remote host closed the connection]