> I guess you'd have better data than I would; but I'm still having
> trouble believing that Spammers are adjusting on that time frame.
Some do; not all do. However, the ones that can adjust in less than a day,
or maybe less than 2-3 days sometimes, tend to be some of the more prolific
spammers. So you can have a *really effective* rule become worthless in
somewhere between 16 hours and say 96 hours.
> But how do we know who should be allowed access to the group?
Well, how do you decide who should be a developer and have access to the
source? Its probably based on some informal set of rules, like the person
seems to be capable of writing decent perl, following the current style
guidelines, understands the source well enough to not break it too often,
has the ability to test their patches before committing them, and seems to
be dedicated to fighting spam.
A rules subproject would be a project too, and developers should also be
admitted to the project based on some set of reasonable crieteria. It might
include the ability to write regexes (or evals, or plugins, or whatever),
previous indication that they seem to come up with moderately decent rules
and techniques for catching spam, an understanding of what not to do in a
production regex, etc. A little thought along the lines of "these are code
developers on an anti-spam project, what should I use for admittance
crieteria" should suggest reasonable measures.
The only possibly 'odd' thing I'm suggesting is that the mailing list these
developers have access to is an embargoed private list for their use only
for 2..4 weeks or so. Of course one assumes the SA PMC and perhaps
higher-ups would also have access if they cared. One doesn't necessarily
assume that some other arbitrary Apache project would have live access.
Now, I may be wrong, but I have the distinct impression that there is a
mailing list or discussion group for the SA PMC that is not open to non-PMC
members, including SA devs that are not PMC members. So far as I know, the
archives of that list/group are never made public. And yet it is the
controlling group of a public project.
If such a thing can exist (and I believe it does) then it seems reasonable
that the developers of a public project can be a) admitted effectively by
invitation only based on some crieteria, and b) have a semi-private
discussion forum.
This doesn't say that they can't have a public discussion forum too; just
that they can have one that is private in realtime even if it becomes public
later. I think someone mentioned SA security bugs. I'm sure they must get
discussed someplace -- but I have no idea where that might be, since I'm not
on the list of people that need to know about that.
You might think about it as some rules can constitute 'security bug fixes',
and you don't want the vulnerability known generally until a patch is in
place to stop it. It is a little different with rules, because what you
have is a documented exploit in process, and you want to put a plug in the
hole without having the hole immediately change shape. But it is much the
same concept, except you have the cart before the horse.
Loren
