Re: [pydotorg-www] Changing default wiki permissions
On Thu, Jan 24, 2013 at 11:24 PM, Paul Boddie wrote: > Aahz wrote: >> On Thu, Jan 24, 2013, M.-A. Lemburg wrote: > Having some kind of mechanism for managing new user registration. I wouldn't > want to impose the approval of new users because it stops the quick-but-good > edits of people who are new to the Wiki but want to fix something, but it is > the case that there may be a lot of "registration spam", meaning that the > Wiki fills up with users who will never succeed in making an edit because > they can't answer the textcha questions. Maybe there are already tools that > deal with this. If not, I may be encouraged to write something. I think that MoinMoin lets you put a textcha on the registration page too. That pretty much solves this problem. -- Radomir Dopieralski, http://sheep.art.pl ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On 24.01.2013 23:24, Paul Boddie wrote: > Aahz wrote: >> On Thu, Jan 24, 2013, M.-A. Lemburg wrote: >>> We're currently working on setting up the new VM with the Python and >>> Jython wikis. >>> >>> In order to increase security and also to help a bit with avoiding >>> spam/vandalism, we'd like to disable editing of wiki pages without >>> login. >>> >>> Any objections ? >> >> That was in fact the setup previously, and I strongly support reverting >> to it. As Barry notes, there are some pages that will need a higher >> level of protection, but as long as we've got off-VM backups, we can >> handle any mishaps. > > Indeed. I don't buy into the myth that people perpetuate about Wikis having > to > allow anonymous access or otherwise be instruments of The Man, or whatever. > The Internet is full of people who will happily pollute any editable site > with their idiotic spams and scams, and some fairly basic measures will deter > the bulk of these people. Given the positive echo, we'll go ahead with requiring logins for edits per default. > I recommend... > > Requiring some kind of login. This actually makes it easier for the editors > to > see at a glance who has edited a page (Aahz rather than, say, > 123-client.456-server.verizon.com) and make a quick judgement about whether > the edit needs investigating. We can support OpenID - you can even use your > Python Package Index identity! - and so don't even need to make people set > and remember distinct passwords. > > Maintaining the textcha protection for random newcomers. I appreciate that > textcha questions can be a pain - on one Wiki I use, the questions required a > fair amount of research on my part because I am a mere developer and not part > of the target audience - but we can migrate people quickly to a group/list > that doesn't get bothered with questions. Textcha can be very effective: on > some sites I've seen where they turned the feature on, spam was more or less > eliminated. We are using text based capchas for the Python and Jython wiki - for both unregistered and registered users. There's a group of trusted editors which doesn't have to bother with the captchas. Additionally, we have a blocked user group to disable known spam accounts. > Having some kind of mechanism for managing new user registration. I wouldn't > want to impose the approval of new users because it stops the quick-but-good > edits of people who are new to the Wiki but want to fix something, but it is > the case that there may be a lot of "registration spam", meaning that the > Wiki fills up with users who will never succeed in making an edit because > they can't answer the textcha questions. Maybe there are already tools that > deal with this. If not, I may be encouraged to write something. We currently have 11000 users registered for the Python wiki. I do believe that many of those are no longer in use. Since we're resetting the password of the users now, we should get a good feel for the actual number of active users after a few months: the inactive ones will show up as not having registered a new password. > Beyond this, we could introduce edit approval for random newcomers - I wrote > something that puts edits in approval queues - but this is really something > for a site where you want the barrier to editing to be very low but the > barrier to publishing to be much higher. For the Python Wikis, the barrier to > editing should be low but not *very* low, and the barrier to publishing > should not be significantly higher. If spam from registered users becomes more of a problem, we could increase the number of captcha phrases. > Finally, I would like to thank Marc-André for his forensic and recovery work > as well as Thomas and Reimar for their work in attempting to restore the > content. Once again, the PSF should be thanked for making resources available > for the improvement of MoinMoin in various respects. Ensuring the vitality of > widely-used Python projects like MoinMoin is an essential part of ensuring > the vitality of Python itself. Thanks, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 25 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ : Try our mxODBC.Connect Python Database Interface for free ! :: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On 25.01.2013 10:36, anatoly techtonik wrote: > On Thu, Jan 24, 2013 at 5:13 PM, M.-A. Lemburg wrote: > >> We're currently working on setting up the new VM with the >> Python and Jython wikis. >> >> In order to increase security and also to help a bit with >> avoiding spam/vandalism, we'd like to disable editing >> of wiki pages without login. >> >> Any objections ? >> > > What was the monthly amount of posts from anonymous spammers? > What was the ratio of spam posts of anonymous vs registered spammers? > > If the both parameters are low, I'd be -1. In other 'words': > > if monthly.spam.unreg < 5 and monthly.spam.unreg/float(monthly.spam.reg) < > 1: >registration.disable() If you could define a function to determine whether an edit was spam or not, such statistics would be possible - and a lot more ;-). -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 25 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ : Try our mxODBC.Connect Python Database Interface for free ! :: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On Thu, Jan 24, 2013 at 5:13 PM, M.-A. Lemburg wrote: > We're currently working on setting up the new VM with the > Python and Jython wikis. > > In order to increase security and also to help a bit with > avoiding spam/vandalism, we'd like to disable editing > of wiki pages without login. > > Any objections ? > What was the monthly amount of posts from anonymous spammers? What was the ratio of spam posts of anonymous vs registered spammers? If the both parameters are low, I'd be -1. In other 'words': if monthly.spam.unreg < 5 and monthly.spam.unreg/float(monthly.spam.reg) < 1: registration.disable() ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
Aahz wrote: > On Thu, Jan 24, 2013, M.-A. Lemburg wrote: > > We're currently working on setting up the new VM with the Python and > > Jython wikis. > > > > In order to increase security and also to help a bit with avoiding > > spam/vandalism, we'd like to disable editing of wiki pages without > > login. > > > > Any objections ? > > That was in fact the setup previously, and I strongly support reverting > to it. As Barry notes, there are some pages that will need a higher > level of protection, but as long as we've got off-VM backups, we can > handle any mishaps. Indeed. I don't buy into the myth that people perpetuate about Wikis having to allow anonymous access or otherwise be instruments of The Man, or whatever. The Internet is full of people who will happily pollute any editable site with their idiotic spams and scams, and some fairly basic measures will deter the bulk of these people. I recommend... Requiring some kind of login. This actually makes it easier for the editors to see at a glance who has edited a page (Aahz rather than, say, 123-client.456-server.verizon.com) and make a quick judgement about whether the edit needs investigating. We can support OpenID - you can even use your Python Package Index identity! - and so don't even need to make people set and remember distinct passwords. Maintaining the textcha protection for random newcomers. I appreciate that textcha questions can be a pain - on one Wiki I use, the questions required a fair amount of research on my part because I am a mere developer and not part of the target audience - but we can migrate people quickly to a group/list that doesn't get bothered with questions. Textcha can be very effective: on some sites I've seen where they turned the feature on, spam was more or less eliminated. Having some kind of mechanism for managing new user registration. I wouldn't want to impose the approval of new users because it stops the quick-but-good edits of people who are new to the Wiki but want to fix something, but it is the case that there may be a lot of "registration spam", meaning that the Wiki fills up with users who will never succeed in making an edit because they can't answer the textcha questions. Maybe there are already tools that deal with this. If not, I may be encouraged to write something. Beyond this, we could introduce edit approval for random newcomers - I wrote something that puts edits in approval queues - but this is really something for a site where you want the barrier to editing to be very low but the barrier to publishing to be much higher. For the Python Wikis, the barrier to editing should be low but not *very* low, and the barrier to publishing should not be significantly higher. Finally, I would like to thank Marc-André for his forensic and recovery work as well as Thomas and Reimar for their work in attempting to restore the content. Once again, the PSF should be thanked for making resources available for the improvement of MoinMoin in various respects. Ensuring the vitality of widely-used Python projects like MoinMoin is an essential part of ensuring the vitality of Python itself. Paul ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On Thu, Jan 24, 2013, M.-A. Lemburg wrote: > > We're currently working on setting up the new VM with the Python and > Jython wikis. > > In order to increase security and also to help a bit with avoiding > spam/vandalism, we'd like to disable editing of wiki pages without > login. > > Any objections ? That was in fact the setup previously, and I strongly support reverting to it. As Barry notes, there are some pages that will need a higher level of protection, but as long as we've got off-VM backups, we can handle any mishaps. -- Aahz (a...@pythoncraft.com) <*> http://www.pythoncraft.com/ Weinberg's Second Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization. ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On 24.01.2013 15:21, Jeremy Baron wrote: > On Jan 24, 2013 9:14 AM, "M.-A. Lemburg" wrote: >> We're currently working on setting up the new VM with the >> Python and Jython wikis. > […] > > Is this being automated or documented in any way? e.g. with puppet. Both :-) The infrastructure team is using Chef for the management, but there are still some manual steps involved in a moin wiki setup that are not easy to automate (part of the setup requires visiting pages, clicking on links, etc). > So that next time you need to make a new one from scratch it is then a > trivial task. The setup isn't all that hard. The hard part was trying to recover at least some of the content and getting it back into the wiki. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 24 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ : Try our mxODBC.Connect Python Database Interface for free ! :: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On 24.01.2013 16:28, Radomir Dopieralski wrote: > On Thu, Jan 24, 2013 at 3:13 PM, M.-A. Lemburg wrote: >> We're currently working on setting up the new VM with the >> Python and Jython wikis. >> >> In order to increase security and also to help a bit with >> avoiding spam/vandalism, we'd like to disable editing >> of wiki pages without login. >> >> Any objections ? > > I don't really have any objections, but it may interest you that the > last few spammer attacks on the wiki all registered random accounts > automatically and logged in before posting their spam. I know it's not the ultimate tool against spammers :-) We were thinking more about things like the attacks by script kiddies we've seen after the Debian announcement. I would think that having to log in before being able to run the action would have made people think twice. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 24 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ : Try our mxODBC.Connect Python Database Interface for free ! :: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On Fri, Jan 25, 2013 at 3:05 AM, M.-A. Lemburg wrote: > On 24.01.2013 15:27, Chris Angelico wrote: >> On Fri, Jan 25, 2013 at 1:13 AM, M.-A. Lemburg wrote: >>> In order to increase security and also to help a bit with >>> avoiding spam/vandalism, we'd like to disable editing >>> of wiki pages without login. >>> >>> Any objections ? >> >> Strongly support, as long as it's easy enough to create a login. +0 if >> logins take a lot of time (or admin approval) before being permitted. > > It doesn't need admin approval. You just need to sign up. It's a > small extra burden. As side effect, the history of page edits > also becomes more readable. Then yeah, there's no need to allow anonymous editing. Wikipedia does, but plenty don't. It just bugs me now and then when I come across a wiki with a trivial typo or something, and I sign up, and it tells me a mod has to grant me editing rights; why advertise that it's editable if it basically isn't? By the time someone gets around to granting permission, I've probably moved along, the edit wasn't worth the hassle. Course, it won't stop spam, as others mentioned. ChrisA ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On 24.01.2013 15:27, Chris Angelico wrote: > On Fri, Jan 25, 2013 at 1:13 AM, M.-A. Lemburg wrote: >> In order to increase security and also to help a bit with >> avoiding spam/vandalism, we'd like to disable editing >> of wiki pages without login. >> >> Any objections ? > > Strongly support, as long as it's easy enough to create a login. +0 if > logins take a lot of time (or admin approval) before being permitted. It doesn't need admin approval. You just need to sign up. It's a small extra burden. As side effect, the history of page edits also becomes more readable. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 24 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ : Try our mxODBC.Connect Python Database Interface for free ! :: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On Jan 24, 2013, at 04:28 PM, Radomir Dopieralski wrote: >On Thu, Jan 24, 2013 at 3:13 PM, M.-A. Lemburg wrote: >> We're currently working on setting up the new VM with the >> Python and Jython wikis. >> >> In order to increase security and also to help a bit with >> avoiding spam/vandalism, we'd like to disable editing >> of wiki pages without login. >> >> Any objections ? > >I don't really have any objections, but it may interest you that the >last few spammer attacks on the wiki all registered random accounts >automatically and logged in before posting their spam. +1 for the change, although based on my experience with the (Confluence-based) Mailman wiki, it won't help much. We've resorted to adding a special "authors" group and only allowing folks in that group to edit pages. You have to explicitly ask the Mailman cabal for permission to join the group. Now the only spam we get (and it is *way* less than it ever was) is in the actual wiki-joining account information. Cheers, -Barry ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On Thu, Jan 24, 2013 at 3:13 PM, M.-A. Lemburg wrote: > We're currently working on setting up the new VM with the > Python and Jython wikis. > > In order to increase security and also to help a bit with > avoiding spam/vandalism, we'd like to disable editing > of wiki pages without login. > > Any objections ? I don't really have any objections, but it may interest you that the last few spammer attacks on the wiki all registered random accounts automatically and logged in before posting their spam. -- Radomir Dopieralski, http://sheep.art.pl ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On Fri, Jan 25, 2013 at 1:13 AM, M.-A. Lemburg wrote: > In order to increase security and also to help a bit with > avoiding spam/vandalism, we'd like to disable editing > of wiki pages without login. > > Any objections ? Strongly support, as long as it's easy enough to create a login. +0 if logins take a lot of time (or admin approval) before being permitted. ChrisA ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
Re: [pydotorg-www] Changing default wiki permissions
On Jan 24, 2013 9:14 AM, "M.-A. Lemburg" wrote: > We're currently working on setting up the new VM with the > Python and Jython wikis. […] Is this being automated or documented in any way? e.g. with puppet. So that next time you need to make a new one from scratch it is then a trivial task. -Jeremy ___ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
