Julien Plissonneau Duquène <sre4e...@free.fr> writes: > I would first try to improve the Salsa registration process. I > understand the need to prevent recurrent abuse, but the current manual > approval process with its delay and lack of feedback when things go > wrong is likely to discourage casual contributors, as what could have > been done in a few minutes now requires attention over multiple hours or > days.
I would be worried about dropping the manual approval due to the sheer volume of sophisticated automated spam account creation attacks on any sort of authentication process with automatic sign-up. Right now, we are in the enviable position where there is essentially no spam via Salsa. I have seen what the level of spam looks like with an automated sign-up process, and it would probably make me disable all of my Salsa notifications, which would be a shame for other reasons. The only way that companies like GitHub claw their way back from that is by having a substantial anti-abuse team and a lot of constantly-tweaked automation to detect and defeat spam. It is very, very easy for anything on the Internet with public automated registration to immediately drown in SEO spam. Maybe there are more effective defenses than I am aware of (captcha methods are definitely not sufficient in my experience) that we would fall back on, and if the Salsa admins feel like this wouldn't be a problem, I would definitely yield to their much greater experience. But it's real bad out there in ways that I think the larger sites mostly hide because they put a lot of resources into spam detection and prevention that we don't have. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
