Sure.. So a couple of thoughts: 1. If the attack vector involves creating a launchpad account, there's not much we can do about that portion (account creation). But, we could potentially force the user to do a re-captcha when they want to edit / insert content. This doesn't fix the creation of fake accounts, but at least enables a basic check of humanity before editing is allowed.
2. It was discovered that the mobile view does not invoke the SSO via launchpad. While it appears this is unrelated to the spam and should take a lower priority, I would propose going ahead and fixing this for good measure. 3. Longer term - using OpenStack ID instead of LaunchPad. Would have to either implement a sunset period as Martin suggested or have the user authenticate to both SSO providers creating a relationship in the users table of mediawiki. The ability / complexity of such an approach would need to be investigated. Input is welcome. I'll investigate whatever path people agree with and welcome other suggestions. J.P. Maxwell / tipit.net <http://www.tipit.net> On Wed, Feb 17, 2016 at 2:21 PM, Elizabeth K. Joseph <[email protected]> wrote: > On Mon, Feb 15, 2016 at 7:46 AM, Jeremy Stanley <[email protected]> wrote: > > On 2016-02-15 09:04:41 -0600 (-0600), JP Maxwell wrote: > >> Tom, yes we can probably help. Do you want to ping me off list - > >> need to get some more info about how it is setup / version > >> controlled / deployed / etc. > > > > Our openstack_project::wiki class[1] calls into our mediawiki Puppet > > module[2]. Ryan Lane set up and maintained most of this for us while > > he was at WMF, but since he's moved on to other things it's fallen > > into some disuse so assistance is appreciated! > > > > [1] > http://git.openstack.org/cgit/openstack-infra/system-config/tree/modules/openstack_project/manifests/wiki.pp > > [2] http://git.openstack.org/cgit/openstack-infra/puppet-mediawiki/tree/ > > As Jeremy points out, our infrastructure is all open source so I'd > prefer to keep this discussion here on the list so we can all pitch > in. I don't see any active patches for this yet (please let me know if > I've missed anything). > > Another data point: Canonical IS also uses Launchpad authentication, > like we do, for edits to their Ubuntu wikis and have been hit pretty > hard by spammers this week (initial attacks go back to December). They > are on MoinMoin, we're on Mediawiki, so wiki-side anti-spam proposals > will differ, but I've been keeping an eye on any solutions they may > propose for altering how SSO is being handled for their wiki to > perhaps shut these spammers down before they get a chance to edit. > > -- > Elizabeth Krumbach Joseph || Lyz || pleia2 >
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
