[arch-dev-public] [objectives] Package triage on current + extra (archstats)

Dan McGee dpmcgee at gmail.com
Mon May 7 15:37:04 EDT 2007


On 5/7/07, Aaron Griffin <aaronmgriffin at gmail.com> wrote:
> On 5/7/07, Dan McGee <dpmcgee at gmail.com> wrote:
> > On 5/7/07, Jürgen Hötzel <juergen at hoetzel.info> wrote:
> > > On Mon, May 07, 2007 at 12:13:16PM -0400, Dan McGee wrote:
> > > >
> > > > I've managed to remove about 500 lines of code by moving repetition to
> > > > functions (still more to be done, but that was 1/6 of the code). I
> > > > also completely bypassed the MD5sum checking stuff, showing how that
> > > > is worthless. Simo and I were trying to think of a better way to do
> > > > client verification (Jürgen, any ideas?), and we came up with nothing.
> > > >
> > >
> > > There is no solution, if users are anonymous. A simple workaround/hack:
> > >
> > > Prevent connects from the same IP (for a limited time period).
> > >
> > > This could limit the possibility to flood the database with multiple
> > > machine entries from one user.
> >
> > I thought about this solution as well, but I realized it does carry
> > with it a rather large negative. If a user has 4 Arch boxes behind a
> > router with NAT, and they all run archstats as a cronjob at the same
> > time, we would be excluding all but 1 of his boxes from updates.
> >
> > How essential is user anonymity on submission? Would users feel
> > comfortable registering (which is a hurdle I think we should try to
> > avoid) if their anonymous state was still preserved in any data
> > presented to the user?
>
> One thing cactus brought up recently is user ldap support.  Suppsoedly
> mediawiki and punbb support ldap login.  If were were to use ldap for
> user accounts, we could spread that to all aspects, such as the AUR
> and archstats.
>
> *Then* we could implement the "only one submission from this user
> every X minutes" setup.

I like this idea. I don't think most people would object to having to
"register" if it was a "register once for everything" type of thing.
In addition, this would keep out junk data (people without accounts)
and misconfigured clients (sending every 5 minutes). However, some
(many?) users have multiple computers but that should be a minor
implementation detail to work with later.

Looks like Flyspray doesn't and won't have it though:
http://bugs.flyspray.org/task/233
http://bugs.flyspray.org/task/758

-Dan


More information about the arch-dev-public mailing list