Hello Duncan, Wednesday, July 20, 2005, 9:07:15 PM, you wrote:
>> The SARE list is private and invitation only for exactly these reasons. DF> I'm *really worried* about proposals that involve mailing lists that DF> have only private archives and require moderator approval for DF> subscription. It just doesn't feel right for an open source project. Agreed. But you do secure the security-bug submissions from publicly accessible lists and archives... DF> It's quite possible that this drives people away. In fact I'm quite DF> sure people are less likely to get involved if they have to somehow DF> prove that they aren't a spammer in order to subscribe. Yes, but you also don't want spammers wrecking the system, making it useless. There's a viable balance somewhere... DF> For example, I came across the sare-users mailing list the other day, DF> but I didn't want to go through the hassle of subscribing -- I just DF> wanted to browse the archives. DF> How do we balance the benefits of being open with the potential DF> dangers? I've thought about this some, and suggest that maybe something like three overlapping lists: a) committers have the ability to take rules that work and add them to the "permanent" submission system. there are no limitations to what a committer can do within this mass-check system. b) vetted subscribers can submit rules to mass-check with no moderation other than --lint. They can review any/all archives. c) non-vetted subscribers can submit rules to mass-check, with a delay which allows volunteers in (a) and/or (b) to review the submissions and make sure there are no obvious "drive the system into the ground" errors (intentionally or not). Once approved, the rules get mass-checked, and the results are emailed back to the submitter (as well as deposited into the archive). Everyone can participate. The level of participation depends partly on trust (vetted) and partly on dedication (committers). >> I don't see a need for moderated postings from approved list members. If >> you want to have a "submit a rule here" maildrop-like facility attached to >> the list, where anyone can submit a rules file to be tested, then this would >> need to be a moderated posting. Otherwise the spammers could submit a rule >> with about a thousand stars in it, with predictable results. DF> Obviously any mechanism that would lead to a mass-check run (or any DF> other use of other people's computer resources) would require some DF> sort of authentication. Exactly. And the level of authentication depends partly on the type of activity and data returned. Within SARE, our mass-checks always run with --loghits, so we can see what hits (except in meta's of course). But that's a confidentiality issue -- we wouldn't want to share that --loghit information (often including email addresses, names, etc) on a public and open archive. Bob Menschel
