ChanServ changed the topic of #freedesktop to: https://www.freedesktop.org infrastructure and online services || for questions about freedesktop.org projects, please see each project's contact || for discussions about specifications, please use https://gitlab.freedesktop.org/xdg or xdg@lists.freedesktop.org
gnuiyl has quit [Remote host closed the connection]
gnuiyl has joined #freedesktop
alanc has quit [Remote host closed the connection]
alanc has joined #freedesktop
ximion has quit [Remote host closed the connection]
c02022[m] has joined #freedesktop
<dcbaker>
dwfreed: ^
<dcbaker>
They’re also on llvm
<dwfreed>
yeah, they quit already, and they won't be able to come back
<dwfreed>
They hit a lot of channels
swatish2 has joined #freedesktop
swatish2 has quit [Ping timeout: 480 seconds]
swatish2 has joined #freedesktop
alarumbe has quit [Ping timeout: 480 seconds]
AbleBacon has quit [Read error: Connection reset by peer]
tzimmermann has joined #freedesktop
cascardo_ has joined #freedesktop
cascardo has quit [Ping timeout: 480 seconds]
jsa1 has joined #freedesktop
sima has joined #freedesktop
Hazematman has quit [Quit: WeeChat 4.5.1]
Hazematman has joined #freedesktop
sghuge has quit [Remote host closed the connection]
sghuge has joined #freedesktop
Hazematman has quit []
Hazematman has joined #freedesktop
<pinchartl>
karolherbst: maybe it's also time to consider blocking IP ranges from AWS and other large offenders. it may be slightly more disturbing, though
funderscore is now known as f_
fomys has joined #freedesktop
<karolherbst>
pinchartl: thing is a lot of the spam comes from private IPs
<DragoonAethis>
pinchartl: Good way to block most of the IRC bouncers on here :/
<karolherbst>
like.. small companies in random countries just spamming
<karolherbst>
DragoonAethis: only for gitlab
<DragoonAethis>
karolherbst: ah, well then
<karolherbst>
anyway, we've done some analysis and the big hosters aren't necessarily that common there, though might need a bit more analysis. Thing is, it's just not gonna help enough and mainting IP ranges ain't free (and then dealing with exceptions, because companies (tm))
<karolherbst>
anyway.. I don't think a small JS challenge is a bad idea, this is going to disrupt a looot of automated bots as I doubt any of them really have a javascript engine
<karolherbst>
hopefully
<f_>
karolherbst: if those bots are hitting gitlab then they must have a JS engine right?
<karolherbst>
nope
<f_>
GitLab shows mostly a blank page when there's no js enabled
<f_>
and it's not usable
<karolherbst>
yeah, but I mean, you can RE how the loging works
<karolherbst>
and just do raw HTTP
<f_>
true.
<karolherbst>
some spammers create like 30k accounts a week
<karolherbst>
sometimes
<f_>
oof
<f_>
:/
<karolherbst>
yeah.. last week we gone one domain creating 10k accounts
<karolherbst>
it's really a pain
<f_>
yeah it is
<f_>
especially for a not so powerful gitlab deployment
<karolherbst>
I kinda hope we could have a better way of blocking spam instead of throwing comments through spam checkers, because users getting random "your comment was detected as spam" ain't helping either
<pinchartl>
DragoonAethis: or make irc bouncers move to more ethical hosting ? :-)
<pinchartl>
but yes, there's also lots of random IPs
<f_>
DragoonAethis: have you heard of dronebl?
<pinchartl>
for AI harvesting monsters, IP-based blocks are a bit more efficient (not fail-proof though)
<f_>
pinchartl: ^
<karolherbst>
pinchartl: I don't think we have monitoring set up like this atm
<karolherbst>
like.. I don't think we can tell which IPs generate the most traffic
<DragoonAethis>
pinchartl: ideally we could stop pretending IRC makes sense in 2025, but that's a bannable opinion in most circles around here
<pinchartl>
DragoonAethis: give me a good matrix CLI client :-)
<DragoonAethis>
pinchartl: Not thinking of Matrix as the alternative tbh
<pinchartl>
but I'm not sure how that's related to AI bots harvesting the web and spammers creating accounts on gitlab.fdo ?
<DragoonAethis>
It's not, just a digression - either way, the little JS challenge middleware linked above looks cool
<DragoonAethis>
As for registration, how about disabling the built-in GitLab registration and moving its flow to an external app that requires doing something non-standard?
<DragoonAethis>
A little external app that requires you to send an email with a registration token to a specified address, which then lets you actually register
ybogdano has quit [Remote host closed the connection]
ybogdano has joined #freedesktop
<DragoonAethis>
Many bots can handle "clicking" on a link received on their inbox, but not sending one in the other direction
<DragoonAethis>
And then actual accounts can be created from the API
<DragoonAethis>
I could build a prototype to see if that makes sense
<karolherbst>
not sure we want to make it a pain to register tho
<DragoonAethis>
It would not be a pain, just requires you to send an email with the specified content
<DragoonAethis>
It's not hard, just rather non-standard
<pinchartl>
it would be ok if there was a way to strafe
<pinchartl>
I had to try 5 or 6 times
<emersion>
DragoonAethis: sounds a bit too surprising for users tbh
<emersion>
also emails can be faked
<emersion>
(that's why it's usually the reverse)
<emersion>
(one could check DKIM, perhaps)
<DragoonAethis>
I'm assuming your server does all the DKIM/DMARC/SPF checks
<DragoonAethis>
Email is kinda unusable otherwise these days
<karolherbst>
well.. most spam accounts use gmail
<karolherbst>
and the rest throwaway DNS, which might not even be flagged yet
<DragoonAethis>
As for surprising... sure, but if you were to receive very specific instructions? It's not hard, just different enough to force bot authors to script handling this specific flow, and it requires you to parse the page contents and send an email based on that
<karolherbst>
I'm not saying it's hard, I'm saying it's a pain
<karolherbst>
a lot of people will just not bother creating accounts
<karolherbst>
specifically ND folks
<DragoonAethis>
ND?
<karolherbst>
neurodivergent
<sima>
yeah there's been lots of shouting about forges requiring an account everywhere for a quick comment or bug report
<sima>
so making that harder isn't great
<karolherbst>
I'm already noped out of all bugzilla where I need to create an account because I simply can't be bothered
<karolherbst>
could also just disable email login altogether and make it githubs/gitlabs/whoevers problem
<pinchartl>
should we go back an e-mail workflows ? :D
<karolherbst>
I think a little JS challange the browser does without the user doing _anything_ is probably the best thing we can try here
<karolherbst>
because the only announce you'll get is that you might have to wait 0.5seconds
<karolherbst>
and if we only do it on the registration URL...
<DragoonAethis>
It should be applied everywhere except the API endpoints
<karolherbst>
gitlab is quite good in not nuking your session every 2 days, so you'll stay logged in for months anyway
<DragoonAethis>
This way you more or less solve the scraping bots
<karolherbst>
so we might as well also protect the login
<karolherbst>
no
<karolherbst>
especially the API endpoints
<karolherbst>
well
<karolherbst>
for login
<karolherbst>
are there even login API endpoints?
<karolherbst>
most useless API anyway if that would exist
<DragoonAethis>
I don't think so? You need the API key from your profile
<karolherbst>
yeah..
<DragoonAethis>
And logging in from the CLI just open the web browser for OAuth
<karolherbst>
then we just need to protect the register/login endpoints
<DragoonAethis>
opens*
lsd|2 has joined #freedesktop
<karolherbst>
the thing is...
<karolherbst>
we kinda want scraping
<karolherbst>
because we want users to be able to use google to find issues
<DragoonAethis>
Fair, although it looks like that's not working well nowadays
<karolherbst>
yeah.......
swatish2 has quit [Ping timeout: 480 seconds]
<__tim>
ci seems to struggle a little, have multiple jobs waiting for more than half an hour for a runner now :)
Kayden has quit [Quit: Leaving]
Kayden has joined #freedesktop
psykose has joined #freedesktop
vsro has joined #freedesktop
vsro has quit [Remote host closed the connection]
tzimmermann has quit [Quit: Leaving]
haaninjo has joined #freedesktop
vx has quit [Quit: G-Line: User has been permanently banned from this network.]