The trick is being able to modify the CI workflow in the PR to inject new behavior. If there was a limit of some type on that it would decrease the usefulness of this.
On Wed, Apr 21, 2021 at 9:33 AM Beckerle, Mike < mbecke...@owlcyberdefense.com> wrote: > This has to do with crypto mining? Gaaak. > > So their PR contains crypto mining code, and they are doing this to get > the CI to run it as part of the way CI checks any PR? > > Sounds like submitting a PR has to require a Capcha or 2-FA. > > > ________________________________ > From: Steve Lawrence <slawre...@apache.org> > Sent: Wednesday, April 21, 2021 9:22 AM > To: dev@daffodil.apache.org <dev@daffodil.apache.org> > Subject: Re: all this github spam ? > > Unfortunately, I'm not sure there's anything we can do about it. > > GitHub doesn't give any controls over who can/can't open a PR. We can't > even temporarily close PR's completely. > > We could maybe make it so GitHub actions on PRs must be manually > triggered so the spammers cryptocurrency mining stuff would never run. > But that's a bit of a pain, and it relies on the spammers to realize > their stuff isn't being run anymore and take us off their list. My guess > is we're stuck on their list forever now. > > These crypto mining attacks are a known issue for GitHub, hopefully > they're working on a solution. Tough, GitHub is eventually detecting > these are spam and closing the accounts and deleting the PRS, but not > until after the PR is created. > > As to the archive issue, we could maybe ask infra to remove archives > that are clearly spam (all of them so far say "Demo titles Add > files...", so unique and consistent). But it doesn't solve the > underlying issue. > > > On 4/21/21 8:59 AM, Beckerle, Mike wrote: > > We seem to be fending off maybe 10 a day github spam attacks where people > > open/close pull requests. > > > > Is there something systematic we can do to avoid this? > > > > This pollutes our mailing lists. I know we can manually purge the PRs > from > > github, but these things will live forever in the mail archives, adding > a bunch > > of random emails/account names to them, and generally making them less > useful. > > > > Mike Beckerle | Principal Engineer > > > > mbecke...@owlcyberdefense.com <mailto:bhum...@owlcyberdefense.com> > > > > P +1-781-330-0412 > > > > Connect with us! > > > > <https://www.linkedin.com/company/owlcyberdefense/>< > https://twitter.com/owlcyberdefense> > > > > <https://owlcyberdefense.com/resources/events/> > > > > ** > > > > The information contained in this transmission is for the personal and > > confidential use of the individual or entity to which it is addressed. > If the > > reader is not the intended recipient, you are hereby notified that any > review, > > dissemination, or copying of this communication is strictly prohibited. > If you > > have received this transmission in error, please notify the sender > immediately > > > >
