Re: Issue collectors
For the record, I'm going to move ahead with adding the issue collector. We can disable it again if it proves to be a problem. Justin On Fri, May 24, 2013 at 11:25 AM, Andrew Stitcher wrote: > On Fri, 2013-05-24 at 08:46 -0400, Justin Ross wrote: >> ... >> "If your JIRA instance is not accessible via the public internet >> feel free to ignore this message. Otherwise it is recommended that you >> update this project's permissions such that anonymous users are not >> allowed to browse issues." >> >> What do you think they mean by the "otherwise, disable anonymous >> browsing" part? Initially this didn't make sense to me. Now I figure >> this is meant for private orgs with a jira instance on the public >> internet, which wouldn't apply to us. >> > > I think what they're talking about here is the motivation for blog spam > - search engine "optimisation". So if a spammer can post a bug, and it > is anonymously available on the internet then it can be found by search > engines and push whatever URL they are trying to drive traffic to. > > Or at least this is my understanding of why spammers try to post links > to blogs etc. So if the url isn't publicly available then there is no > point in the posting in the first place from their pov. > > In this vein it might make sense to not allow anonymously posted bugs to > be available anonymously. > > Anyone have any other understanding(s)? > > Andrew > > > > - > To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org > For additional commands, e-mail: dev-h...@qpid.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
Re: Issue collectors
On Fri, 2013-05-24 at 08:46 -0400, Justin Ross wrote: > ... > "If your JIRA instance is not accessible via the public internet > feel free to ignore this message. Otherwise it is recommended that you > update this project's permissions such that anonymous users are not > allowed to browse issues." > > What do you think they mean by the "otherwise, disable anonymous > browsing" part? Initially this didn't make sense to me. Now I figure > this is meant for private orgs with a jira instance on the public > internet, which wouldn't apply to us. > I think what they're talking about here is the motivation for blog spam - search engine "optimisation". So if a spammer can post a bug, and it is anonymously available on the internet then it can be found by search engines and push whatever URL they are trying to drive traffic to. Or at least this is my understanding of why spammers try to post links to blogs etc. So if the url isn't publicly available then there is no point in the posting in the first place from their pov. In this vein it might make sense to not allow anonymously posted bugs to be available anonymously. Anyone have any other understanding(s)? Andrew - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
Issue collectors
Right now, the experience for users attempting to raise a jira isn't great. The "create jira" link fails and asks you to sign up for an account. I'd like to consider dropping that requirement. Jira offers "issue collectors" as a way to provide anonymous issue reporting. If you drill down to the "add issue collector" UI in our instance, you get the following warnings: "Issues in this project can be viewed by anonymous users. Issue collectors allow for issues to be created anonymously. This means your JIRA instance could be abused by a spammer who can create issues that are available publicly." That's a good point. I think it's worth trying, and we can disable it if spam becomes a problem. (And I wonder if there's a captcha somewhere in there.) "If your JIRA instance is not accessible via the public internet feel free to ignore this message. Otherwise it is recommended that you update this project's permissions such that anonymous users are not allowed to browse issues." What do you think they mean by the "otherwise, disable anonymous browsing" part? Initially this didn't make sense to me. Now I figure this is meant for private orgs with a jira instance on the public internet, which wouldn't apply to us. Justin - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org