Re: QA group joining process: new members cannot subscribe to list until approved
On Sat, Aug 06, 2016 at 11:30:04AM -0700, Adam Williamson wrote: > > What do you think of the idea of directly contacting people who apply > without sending a self-intro mail? The only issue I can think of with that is you are potentially giving your email to a spammer. Otherwise, I like it. John. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On Sat, 2016-08-06 at 13:35 -0400, John Dulaney wrote: > Personally, I'm a bit hesitant to sponsor someone that has not sent an > introduction email. I also check to see if they're on IRC, and if I > see neither, I'm a bit hesitant to sponsor them. If I see them on IRC > but don't see an email, obviously I'll sponsor them. What do you think of the idea of directly contacting people who apply without sending a self-intro mail? -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On Fri, Aug 05, 2016 at 05:28:33PM -0700, Adam Williamson wrote: > Well we're definitely out of scope now...but for some key personnel > (people with admin access to key servers and so on), we actually do > need as many contact methods as possible. If there's a massive hack or > a huge security issue, or something, we need to be able to get in touch > with folks very quickly, an email or IRC ping may not cut it. I don't > know if that's the reason, just thinking it through. It may also have > had something to do with the really old CLA, I have vague memories that > that involved faxes and stuff at some point, but it may just be the > drugs talking... > -- Wasn't that for the old soft phone thingy that used to be in place? Personally, I'm a bit hesitant to sponsor someone that has not sent an introduction email. I also check to see if they're on IRC, and if I see neither, I'm a bit hesitant to sponsor them. If I see them on IRC but don't see an email, obviously I'll sponsor them. John. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On Fri, 2016-08-05 at 16:48 -0600, Viorel Tabara wrote: > On Fri Aug 05 2016 16:08:49 GMT-0600 (MDT) Adam Williamson > wrote: > > > > Still, we could probably clarify the join process in any case. > > What's the purpose of phone number in FAS? It's a piece of personal > information > spammers will never reveal. Well we're definitely out of scope now...but for some key personnel (people with admin access to key servers and so on), we actually do need as many contact methods as possible. If there's a massive hack or a huge security issue, or something, we need to be able to get in touch with folks very quickly, an email or IRC ping may not cut it. I don't know if that's the reason, just thinking it through. It may also have had something to do with the really old CLA, I have vague memories that that involved faxes and stuff at some point, but it may just be the drugs talking... -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On Fri Aug 05 2016 16:08:49 GMT-0600 (MDT) Adam Williamson wrote: > Still, we could probably clarify the join process in any case. What's the purpose of phone number in FAS? It's a piece of personal information spammers will never reveal. -- Viorel -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On Fri, 05 Aug 2016 15:08:49 -0700 Adam Williamson wrote: > Hmm, sorry. Someone said this was the case on IRC, and I didn't > actually check - I should have. > > Still, we could probably clarify the join process in any case. I'll > come up with a separate proposal for that. Note that the one change we did make was for the wiki... it needs cla+1 now. We have talked about making a 'wikieditors' group and sponsoring in anyone that needs to edit the wiki to that, but we haven't really sorted that out yet. kevin pgpkK50ag9Km_.pgp Description: OpenPGP digital signature -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On Fri, 2016-08-05 at 15:54 -0600, Kevin Fenzi wrote: > On Fri, 05 Aug 2016 12:48:39 -0700 > Adam Williamson wrote: > > > > > Hi folks! In an IRC discussion with a new member this morning, we > > became aware of an issue (possibly some folks knew about this already, > > but I didn't!) in the joining process. This is mostly of interest to > > qa group moderators/sponsors, but I figured it can't hurt to make > > everyone aware. > > > > Recently, the Powers That Be have made it so you can't subscribe to > > Fedora mailing lists until you're a member of the FAS 'cla' group > > (which you become a member of by signing the contributor agreement) > > *and* one other group. This requirement is intended to combat spam > > coming from bots which just create new accounts, sign the CA, then > > start subscribing to lists and sending out spam - that whole process > > can be fully automated, and has apparently been a real problem. So the > > intent is to make sure only people who've been made a member of a > > 'real' FAS group by some kind of human, non-automatable process can > > join the lists. > > This is not correct. You absolutely do not need cla+1 to join a mailing > list. How could that even be enforced? You can sign into mailman with > yahoo or persona (which have no ideas about groups). > > Fas does, but you can add arbitrary email addresses to your account. > > In short, this is not the case that I know of, so no adjustment should > need to be made. Hmm, sorry. Someone said this was the case on IRC, and I didn't actually check - I should have. Still, we could probably clarify the join process in any case. I'll come up with a separate proposal for that. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On Fri, 05 Aug 2016 12:48:39 -0700 Adam Williamson wrote: > Hi folks! In an IRC discussion with a new member this morning, we > became aware of an issue (possibly some folks knew about this already, > but I didn't!) in the joining process. This is mostly of interest to > qa group moderators/sponsors, but I figured it can't hurt to make > everyone aware. > > Recently, the Powers That Be have made it so you can't subscribe to > Fedora mailing lists until you're a member of the FAS 'cla' group > (which you become a member of by signing the contributor agreement) > *and* one other group. This requirement is intended to combat spam > coming from bots which just create new accounts, sign the CA, then > start subscribing to lists and sending out spam - that whole process > can be fully automated, and has apparently been a real problem. So the > intent is to make sure only people who've been made a member of a > 'real' FAS group by some kind of human, non-automatable process can > join the lists. This is not correct. You absolutely do not need cla+1 to join a mailing list. How could that even be enforced? You can sign into mailman with yahoo or persona (which have no ideas about groups). Fas does, but you can add arbitrary email addresses to your account. In short, this is not the case that I know of, so no adjustment should need to be made. kevin pgpL3RE1RN2FQ.pgp Description: OpenPGP digital signature -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On Fri, 2016-08-05 at 14:22 -0700, Rick Stevens wrote: > Uh, wouldn't the addition of a "captcha" on the signup page make > joining up without requiring additional group memberships easier and > more bot-proof? That would also prevent the sponsors having to deal > with a slew of botted initial contacts. Well, I'm just trying to match up with what's actually happened, as opposed to debating whether the Fedora sysadmins could handle the spam problem differently, I'd rather not get diverted too far down that track. But in general I'd say our sysadmin folks are pretty good at what they do and I'm inclined to trust them. I'm nowhere near as experienced in such matters as they are, but it's my general understanding that captchas are a long way from foolproof, and the better captcha systems tend to be ones Fedora does not find palatable (as they tend to involve roping the user in to be an unpaid image recognition worker for Google...) -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: QA group joining process: new members cannot subscribe to list until approved
On 08/05/2016 12:48 PM, Adam Williamson wrote: > Hi folks! In an IRC discussion with a new member this morning, we > became aware of an issue (possibly some folks knew about this already, > but I didn't!) in the joining process. This is mostly of interest to qa > group moderators/sponsors, but I figured it can't hurt to make everyone > aware. > > Recently, the Powers That Be have made it so you can't subscribe to > Fedora mailing lists until you're a member of the FAS 'cla' group > (which you become a member of by signing the contributor agreement) > *and* one other group. This requirement is intended to combat spam > coming from bots which just create new accounts, sign the CA, then > start subscribing to lists and sending out spam - that whole process > can be fully automated, and has apparently been a real problem. So the > intent is to make sure only people who've been made a member of a > 'real' FAS group by some kind of human, non-automatable process can > join the lists. > > When we wrote https://fedoraproject.org/wiki/QA/Join , this wasn't the > case, and the idea was more or less that people should apply to the > group and *at the same time* join the mailing list and send a self- > introduction mail; the self-intro would show that they were a genuine > applicant, and moderators could approve their membership after seeing > the self-introduction mail. Since then we made it a bit more ambiguous > and made it so the self-introduction mail isn't required, but I still > tend to look for a self-intro mail before approving new members. > > Obviously, with the new rules, many prospective members won't actually > be able to join the list and send a self-intro at all until we approve > their membership - they could only do so if they were already a member > of some other Fedora group. > > So, I'm proposing we make a slightly tweaked process explicit. My > suggestion is that it should work like this: > > 1. Prospective member sends group membership application > 2. A sponsor contacts the prospective member - usually by email, but > IRC is fine if both the prospective member and the sponsor happen to be > there - to confirm they're a real person, really interested in QA, and > they've read the Join page > 3. If there's a positive response, the sponsor approves the membership > 4. The member can now join the list and send a self-intro mail > (encouraged but not required, as now) > > When contacting prospective members by email, sponsors should copy the > mail to qa-spons...@fedoraproject.org , so other sponsors are aware > that the prospective members have been contacted and we don't get > duplicate contacts. If contacting *multiple* prospective members at > once with a single mail, sponsors should send the mail To: qa-sponsors@ > fedoraproject.org and *BCC* the prospective members, so their email > addresses aren't disclosed to each other. > > Does this all sound OK? If so, I can tweak the Join page a bit to > reflect this process, and maybe throw together a sponsor SOP for > sponsors. Thanks everyone! Uh, wouldn't the addition of a "captcha" on the signup page make joining up without requiring additional group memberships easier and more bot-proof? That would also prevent the sponsors having to deal with a slew of botted initial contacts. Just a thought. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 226437340 Yahoo: origrps2 - -- - Politicians are the opposite of pickpockets because you never see - -them take their hand out of your pocket.- - -- Larry Fine - -- -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
QA group joining process: new members cannot subscribe to list until approved
Hi folks! In an IRC discussion with a new member this morning, we became aware of an issue (possibly some folks knew about this already, but I didn't!) in the joining process. This is mostly of interest to qa group moderators/sponsors, but I figured it can't hurt to make everyone aware. Recently, the Powers That Be have made it so you can't subscribe to Fedora mailing lists until you're a member of the FAS 'cla' group (which you become a member of by signing the contributor agreement) *and* one other group. This requirement is intended to combat spam coming from bots which just create new accounts, sign the CA, then start subscribing to lists and sending out spam - that whole process can be fully automated, and has apparently been a real problem. So the intent is to make sure only people who've been made a member of a 'real' FAS group by some kind of human, non-automatable process can join the lists. When we wrote https://fedoraproject.org/wiki/QA/Join , this wasn't the case, and the idea was more or less that people should apply to the group and *at the same time* join the mailing list and send a self- introduction mail; the self-intro would show that they were a genuine applicant, and moderators could approve their membership after seeing the self-introduction mail. Since then we made it a bit more ambiguous and made it so the self-introduction mail isn't required, but I still tend to look for a self-intro mail before approving new members. Obviously, with the new rules, many prospective members won't actually be able to join the list and send a self-intro at all until we approve their membership - they could only do so if they were already a member of some other Fedora group. So, I'm proposing we make a slightly tweaked process explicit. My suggestion is that it should work like this: 1. Prospective member sends group membership application 2. A sponsor contacts the prospective member - usually by email, but IRC is fine if both the prospective member and the sponsor happen to be there - to confirm they're a real person, really interested in QA, and they've read the Join page 3. If there's a positive response, the sponsor approves the membership 4. The member can now join the list and send a self-intro mail (encouraged but not required, as now) When contacting prospective members by email, sponsors should copy the mail to qa-spons...@fedoraproject.org , so other sponsors are aware that the prospective members have been contacted and we don't get duplicate contacts. If contacting *multiple* prospective members at once with a single mail, sponsors should send the mail To: qa-sponsors@ fedoraproject.org and *BCC* the prospective members, so their email addresses aren't disclosed to each other. Does this all sound OK? If so, I can tweak the Join page a bit to reflect this process, and maybe throw together a sponsor SOP for sponsors. Thanks everyone! -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
