On Sat, Apr 16, 2011 at 3:56 AM, Dr. David Kirkby <david.kir...@onetel.net> wrote: > On 04/15/11 09:43 PM, Justin C. Walker wrote: >> >> On 15 Apr, 2011, at 13:21 PM, David Kirkby wrote: >> >>> On 15 April 2011 17:51, Volker Braun<vbraun.n...@gmail.com> wrote: >>>> >>>> I would think that it is sufficient to only allow non-anonymous email >>>> accounts. For example: >>>> * an institutional address: .edu, .ac.uk, ... >>>> * a sourceforge-address associated to an active project >>>> * an address that has been used to post to google groups before (use >>>> search) >>>> People that want to use their gmail account, say, can still change their >>>> email address on the trac preferences. >>> >>> Any one of those seem fine - as would be any email from a well known >>> company (IBM, HP, Boeing, Airbus, Wolfram Research etc). >> >> Not really. You can't rely on mail with this in the header: >> From: j...@wolfram.com >> You have to check the detailed headers to be (somewhat) sure that the >> 'From' address is valid. Most spammers either cobble together 'From' (as >> well as 'To') addresses, and may even forge most (if not all) of the >> detailed header content. > > Though as long as the account is created for j...@wolfram.com, it will not > result in any spam to trac. So if j...@spamsite.com fakes his email to be > j...@wolfram.com, only j...@wolfram.com could post to trac, not > j...@spamsite.com. > >>> What I would find unacceptable is if some unknown person wants a trac >>> account for an anonymous account, having never posted to sage-devel or >>> sage-support. >> >> +1. I think posting to sage-devel/support would have to be a >> pre-requisite (why get a trac account otherwise?), RobertB's example >> notwithstanding. In the latter case, there may be an alternate approach, >> but for requests out of the blue, I can't think of a good reason to do it. >> >> Justin > > Legitimate exceptions have been raised - like when one trusted person > vouches for another. > > One perfectly reasonable thing for an account manager to do would be a > Google search on any email. If the requested email address has posts on > other forums or lists which are sensible and go back at least a few months, > then the chances are they are not going to spam trac. > > I know it can be annoying when you want to post to a forum and unnecessary > obstacles get in the way, so I think we should make account creation as fast > as reasonably practical. But if we just accept any request without some > checking, we might as well get a computer to automatically authorise the > accounts.
Quite honestly, when have a bug to report, if I can't finish the transaction right away then it's unlikely I'll go through the hoops and report the bug later (unless the bug is really important). This is especially true if I have to wait for a human to enter the loop, so we want to have the barrier as low as possible. Ideally, anyone could file a bug on trac (or a similar system), and only after they're moderated do they become visible. After a number (maybe even one) ticket is accepted, the moderation would then be lifted. Another option would be to only allow automatic account creation for emails seen on sage-[devel|support], which could be easily automated, perhaps with email verification (a link sent out). Does anyone know if trac can be set up like that? +1 to a sage-trac-admin group which could easily handle the rest. The hurdle to jump would be someone else vouching for them or a bug to report or an (intelligent) comment/fix to an existing bug, which is why anyone would want an account anyways. I really don't think the bar needs to be raise that high to filter out the spammers--I don't think we're big enough to attract more than the semi-automated shotgun-approach attack. - Robert -- To post to this group, send an email to sage-devel@googlegroups.com To unsubscribe from this group, send an email to sage-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URL: http://www.sagemath.org
