That's a configuration problem, made worse with inaction.
Fix is two steps;
1. enable the parole question on account creation, see
https://dev.laptop.org/register for an example, and attached patch
against 1.0.1,
2. delete the spam users using direct access to database, or delete
all users and ask people to re-register (much lower cost),
trac upstream probably has other solutions.
I've checked, trac is maintained upstream. New releases continue and
are packaged in Ubuntu;
- Ubuntu 14.04 LTS Trusty has trac 1.0.1, being used at OLPC,
- Ubuntu 14.10 Vivid has trac 1.0.2,
- Ubuntu 15.04 Wily has trac 1.0.8,
- Ubuntu 15.10 Xenial has trac 1.0.9, being used at Sugar Labs,
If Sugar Labs can't bring resources to bear on the problem, I'm fine
with discarding trac and using GitHub issues.
I'm fine with losing all open tickets, though that would not be
pleasant because we have many references in git history, Wiki, and
mailing list archives.
Tickets aren't used in the release process as far as I can tell, and
they are obviously a point of difficulty for new contributors.
On Tue, Mar 08, 2016 at 04:19:13PM -0500, Walter Bender wrote:
> I was going to bring this up at the last SLOB meeting but we ran out of time.
> We have serious problems with b.sl.o regarding user management. While I can
> assign new users unmoderated status, I cannot actually enable their accounts
> since I cannot access the user page (it is so full of spam users that it times
> out before loading -- even though Sam increased the timeout a few months
> back).
> The verification by email is broken, hence the need to find a different way to
> validate.
>
> My recommendation is that we look into alternatives to trac. We can keep the
> old system running as an archive, but it seems time to move on. (I've been
> told
> -- although I have not confirmed -- that trac is not regularly maintained
> upstream any more, which would be all the more reason to move on.)
>
> Does the sysadmin team have any recommendations? Any thoughts from the devel
> community?
>
> regards.
>
> -walter
>
> --
> Walter Bender
> Sugar Labs
> http://www.sugarlabs.org
--
James Cameron
http://quozl.netrek.org/
From: James Cameron <qu...@laptop.org>
Date: Fri, 10 Oct 2014 21:30:29 +1100
Subject: [PATCH] add off-site reference
attackers are persisting, so make it a bit more complex.
next step is to require mail, and give no hints.
diff --git a/register.py b/register.py
index 9c3ecca..aebf9e0 100644
--- a/register.py
+++ b/register.py
@@ -170,9 +170,7 @@ class BotTrapCheck(GenericRegistrationInspector):
# TRANSLATOR: Hint for visible bot trap registration input field.
hint = tag.p(Markup(_(
- """Please type [%(token)s] as verification token,
- exactly replicating everything within the braces.""",
- token=tag.b(self.reg_basic_token))), class_='hint')
+ """Apologies for the inconvenience, but please use the project Wiki, find the page referring to superseded deferments of a doddering shrew, and insert here the four words on the second line, or send mail to James Cameron. Attackers, remember that this will give me warning to respond through negative SEO on other sites within my control, so you won't win, just give up now.""")), class_='hint')
insert = tag(
tag.label(_("Parole:"),
tag.input(type='text', name='basic_token', size=20,
--
1.8.3.2
_______________________________________________
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel
