Le 2025-05-27 19:16, Russ Allbery a écrit :
I would be worried about dropping the manual approval due to the sheer volume of sophisticated automated spam account creation attacks on any sort of authentication process with automatic sign-up.
I'm not suggesting that we simply drop manual approval, as I don't know of any automated and accurate method that could be used to prevent such abuse.
I'm rather proposing giving all DDs the power to approve pending requests, and giving all registered Debian contributors a way to generate invitation links that would not require further manual approval (iow these registrations would be "pre-approved" by the contributor generating the link, and they would be accountable in case of abuse). I believe this could help to reduce the approval delay in many cases.
I have a few ideas though (beyond captchas) that could eventually be tried later on a self-approval web UI, but that would indeed require close collaboration and supervision by Salsa admins so they can pull the plug at any time once abusers find their way through.
Cheers, -- Julien Plissonneau Duquène
