On 07/11/2012 08:24 AM, Kaspar Brand wrote:
> On 08.07.2012 22:33, Daniel Gruno wrote:
>> [ ] +1: Adopt the comments.a.o system in the 2.2 and 2.4 branch of docs
>> [ ] 0: I don't care
>> [ ] -1: Don't adopt the system, because....
>
> Thanks for enduring your work on this - glad to see that it has become
> comments.a.o. in the meantime! I'm in favor of enabling it for 2.2/2.4,
> generally speaking, but am having some concerns with regard to the
> proposed approval policy: it changed from the "Comments will be
> moderated by appointed moderators" to "Comments will, in general, be
> allowed through without pre-approval. Comments with hyperlinks in them
> will require approval from a moderator before they are shown on the
> site" [1].
>
> Auto-approval of comments makes me feel somewhat uneasy - on the one
> hand, there's the risk of inappropriate/incorrect content appearing on
> httpd.apache.org and going unnoticed for some time, and on the other
> hand, this means that input validation ("Name" and "Comment" fields in
> particular) has to be very tight... is
> http://c.apaste.info/source/add_comment.lua the current version of the
> code which validates the input? (If so, it's e.g. missing checks for
> https URIs, and at least at first sight, I couldn't spot any further
> checks on the POST input you're processing [the "site", "page", "thread"
> variables etc.].)
>
> Kaspar
>
> [1] http://wiki.apache.org/httpd/DocsCommentSystem?action=diff&rev1=6&rev2=7
>
Hi Kaspar,
No, I haven't updated that source repository since we moved it all to
the infra SVN repo about a month ago. It is now in place at
https://svn.apache.org/repos/infra/infrastructure/trunk/projects/comments/
and has been rewritten extensively.
names and comments are checked for http(s) schemes, size (no more than
2500 characters allowed) and so on, and while comments require approval
if a hyperlink is found that doesn't point to an official apache web
site, names with hyperlinks are flat out denied.
I think the general idea has, from the start, been to allow for comments
to go through without pre-approval, at least for a period so we can see
if that's what we want. If we later on decide that all comments needs
approval before they are shown, then fine, we'll do so. The system is
geared to respond to a lot of different wishes from different projects,
for example, some may choose to enable Gravatar avatars for their
comments, while others may not (this is not enabled for the httpd site
by the way ;) ).
As for comments going unnoticed, we currently have four people who
automatically receive an email when someone posts on the site and we
have the option to add *every single Apache committer* to this list of
people moderating our site, so I think any 'bad' comments will be
spotted rather fast and removed.
We also have other options up our sleeves:
1) We can require that all posters be registered users first
2) We can ban the sorry people that try to spam out site
3) We can temporarily disable comments on the fly if something goes wrong
I hope this answered your concerns, and if you have any other
suggestions for how our little part of comments.a.o should work, please
do say so, and I'll see if I can figure out a way to make it work.
With regards,
Daniel.
