FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Build System

 
 
LinkBack Thread Tools
 
Old 08-30-2008, 06:46 PM
Axel Thimm
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Sat, Aug 30, 2008 at 05:01:24PM +0200, Michael Schwendt wrote:
> Secondly, in my opinion, it is not okay that one person opens multiple
> Fedora accounts.
> [...]
> In case there are no rules yet, it's about time to create some.

I agree with Michael about 10^10%.

FAS accounts should be only one for each user. If there are needs for
having several accounts for one person, these needs should be
explained and either the FAS system extended to cover these cases, or
special cased by whatever entity (fesco, fab, Fedora infra team?) is
authoritative.

Isn't there perhaps already some texting that one needs to click
through that has the user sign that he will use only that account?
Otherwise could someone add this?

Besides bodhi fake voting this can even be used for fab/fesco fake
voting (although it is probably harder to mark several
same-person-accounts as packager accounts w/o anyone noticing it)!
--
Axel.Thimm at ATrpms.net
--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
 
Old 08-30-2008, 06:46 PM
Axel Thimm
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Sat, Aug 30, 2008 at 05:01:24PM +0200, Michael Schwendt wrote:
> Secondly, in my opinion, it is not okay that one person opens multiple
> Fedora accounts.
> [...]
> In case there are no rules yet, it's about time to create some.

I agree with Michael about 10^10%.

FAS accounts should be only one for each user. If there are needs for
having several accounts for one person, these needs should be
explained and either the FAS system extended to cover these cases, or
special cased by whatever entity (fesco, fab, Fedora infra team?) is
authoritative.

Isn't there perhaps already some texting that one needs to click
through that has the user sign that he will use only that account?
Otherwise could someone add this?

Besides bodhi fake voting this can even be used for fab/fesco fake
voting (although it is probably harder to mark several
same-person-accounts as packager accounts w/o anyone noticing it)!
--
Axel.Thimm at ATrpms.net
_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-30-2008, 10:57 PM
Michael Schwendt
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote:

> I agree with Michael about 10^10%.
>
> FAS accounts should be only one for each user. If there are needs for
> having several accounts for one person, these needs should be
> explained and either the FAS system extended to cover these cases, or
> special cased by whatever entity (fesco, fab, Fedora infra team?) is
> authoritative.
>
> Isn't there perhaps already some texting that one needs to click
> through that has the user sign that he will use only that account?
> Otherwise could someone add this?
>
> Besides bodhi fake voting this can even be used for fab/fesco fake
> voting (although it is probably harder to mark several
> same-person-accounts as packager accounts w/o anyone noticing it)!

Just for the record and because my original post went to fedora-buildsys-list.
I've stumbled into suspicious voting activity in bodhi, such as:

https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9
(pending)

+1 acottle - 2008-08-27 22:24:21
+1 auscity - 2008-08-27 22:24:46
+1 dcottle - 2008-08-27 22:25:11

There are more like that from those users. They have several things in
common. Never any comment except for sporadic words (or discussion with
other voters) from dcottle. Just the +1. Usually at least two of these
accounts vote in bodhi at the same time (i.e. with a delay of approx. 20
seconds like above) and always on the same updates for both F9 and F8.
It is often voted on pending updates, where downloading from koji is
necessary.

You can learn in one of dcottle's comments to a kernel update, where users
use bodhi to chat a bit, that his daily routine is to look for new builds
"in koji" in the morning hours. And yet it's three accounts that vote at
the same time on the same updates.

Of course, I'm paranoid. Of course, this is not the same person
behind those accounts. One can imagine how they sit next to eachother
and practise voting in bodhi at the same time several days a week
for every update they try.

So, ... FAS confirmed that users dcottle and auscity are the same person
(actually with the email addresses swapped to make the connection even
more obvious), and acottle shares the surname *and* the domain name in the
email address.

After I had mailed the three users and the list, I've received four angry
replies from the person trying to explain that the multiple votes are done
because the updates are tested on several machines. About an hour ago
I've received a rude reply that mentioned the obvious possibility (or is
it a threat of what to expect next?) of "registering countless hotmail,
yahoo or free accounts and commenting all day long" and a pool of 64 IP
addresses in order to conceal the activity in bodhi.


It's great that dcottle (David Cottle) has been such an active update
tester, who's listed somewhere near the top of bodhi's new metrics. Yet,
spending +3 karma points instead of just one should not be done with three
accounts. Superhero testers (especially those who really test
hardware-dependent updates on lots of different hardware) could gain extra
privileges in bodhi or be marked as VIPs in the future. I'm sure something
can be done to reward them for their contribution and to aid package
maintainers in deciding what level of testing an update has seen.

However, all I see so far is an attempt at raising karma in bodhi in the
hope that the updates will be pushed to stable sooner. And that is
foul play IMO.

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-31-2008, 03:29 AM
Seth Vidal
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Sun, 2008-08-31 at 00:57 +0200, Michael Schwendt wrote:
> On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote:
>
> > I agree with Michael about 10^10%.
> >
> > FAS accounts should be only one for each user. If there are needs for
> > having several accounts for one person, these needs should be
> > explained and either the FAS system extended to cover these cases, or
> > special cased by whatever entity (fesco, fab, Fedora infra team?) is
> > authoritative.
> >
> > Isn't there perhaps already some texting that one needs to click
> > through that has the user sign that he will use only that account?
> > Otherwise could someone add this?
> >
> > Besides bodhi fake voting this can even be used for fab/fesco fake
> > voting (although it is probably harder to mark several
> > same-person-accounts as packager accounts w/o anyone noticing it)!
>
> Just for the record and because my original post went to fedora-buildsys-list.
> I've stumbled into suspicious voting activity in bodhi, such as:
>
> https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9
> (pending)
>
> +1 acottle - 2008-08-27 22:24:21
> +1 auscity - 2008-08-27 22:24:46
> +1 dcottle - 2008-08-27 22:25:11
>
> There are more like that from those users. They have several things in
> common. Never any comment except for sporadic words (or discussion with
> other voters) from dcottle. Just the +1. Usually at least two of these
> accounts vote in bodhi at the same time (i.e. with a delay of approx. 20
> seconds like above) and always on the same updates for both F9 and F8.
> It is often voted on pending updates, where downloading from koji is
> necessary.
>
> You can learn in one of dcottle's comments to a kernel update, where users
> use bodhi to chat a bit, that his daily routine is to look for new builds
> "in koji" in the morning hours. And yet it's three accounts that vote at
> the same time on the same updates.
>
> Of course, I'm paranoid. Of course, this is not the same person
> behind those accounts. One can imagine how they sit next to eachother
> and practise voting in bodhi at the same time several days a week
> for every update they try.
>
> So, ... FAS confirmed that users dcottle and auscity are the same person
> (actually with the email addresses swapped to make the connection even
> more obvious), and acottle shares the surname *and* the domain name in the
> email address.
>
> After I had mailed the three users and the list, I've received four angry
> replies from the person trying to explain that the multiple votes are done
> because the updates are tested on several machines. About an hour ago
> I've received a rude reply that mentioned the obvious possibility (or is
> it a threat of what to expect next?) of "registering countless hotmail,
> yahoo or free accounts and commenting all day long" and a pool of 64 IP
> addresses in order to conceal the activity in bodhi.
>
>
> It's great that dcottle (David Cottle) has been such an active update
> tester, who's listed somewhere near the top of bodhi's new metrics. Yet,
> spending +3 karma points instead of just one should not be done with three
> accounts. Superhero testers (especially those who really test
> hardware-dependent updates on lots of different hardware) could gain extra
> privileges in bodhi or be marked as VIPs in the future. I'm sure something
> can be done to reward them for their contribution and to aid package
> maintainers in deciding what level of testing an update has seen.
>
> However, all I see so far is an attempt at raising karma in bodhi in the
> hope that the updates will be pushed to stable sooner. And that is
> foul play IMO.

Yes, This seems like a real problem to me.

Thanks for the heads up.

-sv


_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-31-2008, 03:36 AM
Mike McGrath
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Sat, 30 Aug 2008, Seth Vidal wrote:

> On Sun, 2008-08-31 at 00:57 +0200, Michael Schwendt wrote:
> > On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote:
> >
> > > I agree with Michael about 10^10%.
> > >
> > > FAS accounts should be only one for each user. If there are needs for
> > > having several accounts for one person, these needs should be
> > > explained and either the FAS system extended to cover these cases, or
> > > special cased by whatever entity (fesco, fab, Fedora infra team?) is
> > > authoritative.
> > >
> > > Isn't there perhaps already some texting that one needs to click
> > > through that has the user sign that he will use only that account?
> > > Otherwise could someone add this?
> > >
> > > Besides bodhi fake voting this can even be used for fab/fesco fake
> > > voting (although it is probably harder to mark several
> > > same-person-accounts as packager accounts w/o anyone noticing it)!
> >
> > Just for the record and because my original post went to fedora-buildsys-list.
> > I've stumbled into suspicious voting activity in bodhi, such as:
> >
> > https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9
> > (pending)
> >
> > +1 acottle - 2008-08-27 22:24:21
> > +1 auscity - 2008-08-27 22:24:46
> > +1 dcottle - 2008-08-27 22:25:11
> >
> > There are more like that from those users. They have several things in
> > common. Never any comment except for sporadic words (or discussion with
> > other voters) from dcottle. Just the +1. Usually at least two of these
> > accounts vote in bodhi at the same time (i.e. with a delay of approx. 20
> > seconds like above) and always on the same updates for both F9 and F8.
> > It is often voted on pending updates, where downloading from koji is
> > necessary.
> >
> > You can learn in one of dcottle's comments to a kernel update, where users
> > use bodhi to chat a bit, that his daily routine is to look for new builds
> > "in koji" in the morning hours. And yet it's three accounts that vote at
> > the same time on the same updates.
> >
> > Of course, I'm paranoid. Of course, this is not the same person
> > behind those accounts. One can imagine how they sit next to eachother
> > and practise voting in bodhi at the same time several days a week
> > for every update they try.
> >
> > So, ... FAS confirmed that users dcottle and auscity are the same person
> > (actually with the email addresses swapped to make the connection even
> > more obvious), and acottle shares the surname *and* the domain name in the
> > email address.
> >
> > After I had mailed the three users and the list, I've received four angry
> > replies from the person trying to explain that the multiple votes are done
> > because the updates are tested on several machines. About an hour ago
> > I've received a rude reply that mentioned the obvious possibility (or is
> > it a threat of what to expect next?) of "registering countless hotmail,
> > yahoo or free accounts and commenting all day long" and a pool of 64 IP
> > addresses in order to conceal the activity in bodhi.
> >
> >
> > It's great that dcottle (David Cottle) has been such an active update
> > tester, who's listed somewhere near the top of bodhi's new metrics. Yet,
> > spending +3 karma points instead of just one should not be done with three
> > accounts. Superhero testers (especially those who really test
> > hardware-dependent updates on lots of different hardware) could gain extra
> > privileges in bodhi or be marked as VIPs in the future. I'm sure something
> > can be done to reward them for their contribution and to aid package
> > maintainers in deciding what level of testing an update has seen.
> >
> > However, all I see so far is an attempt at raising karma in bodhi in the
> > hope that the updates will be pushed to stable sooner. And that is
> > foul play IMO.
>
> Yes, This seems like a real problem to me.
>
> Thanks for the heads up.
>

If this becomes a real problem (or if it is already) we can just create a
policy against this sort of thing and enforce it on a per complaint basis.

-Mike

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-31-2008, 09:57 AM
"Dominik 'Rathann' Mierzejewski"
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Sunday, 31 August 2008 at 05:36, Mike McGrath wrote:
> On Sat, 30 Aug 2008, Seth Vidal wrote:
>
> > On Sun, 2008-08-31 at 00:57 +0200, Michael Schwendt wrote:
> > > On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote:
> > >
> > > > I agree with Michael about 10^10%.
> > > >
> > > > FAS accounts should be only one for each user. If there are needs for
> > > > having several accounts for one person, these needs should be
> > > > explained and either the FAS system extended to cover these cases, or
> > > > special cased by whatever entity (fesco, fab, Fedora infra team?) is
> > > > authoritative.
> > > >
> > > > Isn't there perhaps already some texting that one needs to click
> > > > through that has the user sign that he will use only that account?
> > > > Otherwise could someone add this?
> > > >
> > > > Besides bodhi fake voting this can even be used for fab/fesco fake
> > > > voting (although it is probably harder to mark several
> > > > same-person-accounts as packager accounts w/o anyone noticing it)!
> > >
> > > Just for the record and because my original post went to fedora-buildsys-list.
> > > I've stumbled into suspicious voting activity in bodhi, such as:
[...]
> > > However, all I see so far is an attempt at raising karma in bodhi in the
> > > hope that the updates will be pushed to stable sooner. And that is
> > > foul play IMO.
> >
> > Yes, This seems like a real problem to me.
> >
> > Thanks for the heads up.
> >
>
> If this becomes a real problem (or if it is already) we can just create a
> policy against this sort of thing and enforce it on a per complaint basis.

Actually this sort of thing is better handled by automated monitoring,
for example >2 votes within 5 minutes and/or from the same IP range should
raise some flags.

Regards,
R.

--
Fedora http://fedoraproject.org/wiki/User:Rathann
Livna http://rpm.livna.org | MPlayer http://mplayerhq.hu
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 08-31-2008, 02:46 PM
Josh Boyer
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Sun, Aug 31, 2008 at 11:57:34AM +0200, Dominik 'Rathann' Mierzejewski wrote:
>> If this becomes a real problem (or if it is already) we can just create a
>> policy against this sort of thing and enforce it on a per complaint basis.
>
>Actually this sort of thing is better handled by automated monitoring,
>for example >2 votes within 5 minutes and/or from the same IP range should
>raise some flags.

It's not that simple. Large companies can have a small handful of public
facing IP addresses, but a very large number of legitimate users behind
those few addresses.

josh

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 09-02-2008, 06:42 PM
"Karsten 'quaid' Wade"
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Sat, 2008-08-30 at 22:36 -0500, Mike McGrath wrote:

> If this becomes a real problem (or if it is already) we can just
> create a
> policy against this sort of thing and enforce it on a per complaint
> basis.

It sounds as if it has become a real problem. Can Infrastructure put
together a policy it can enforce? Then please let this know for a round
of sanity checking.

BTW, I have two accounts (kwade, quaid), with "legitimate" reasons for
having two that were not (previously?) covered by FAS capabilities. I
think I see a clear path from here for consolidation, but it may not be
for everyone. Folks will appreciate having some process and time to
sort out the how and why.

- Karsten
--
Karsten Wade, Sr. Developer Community Mgr.
Dev Fu : http://developer.redhatmagazine.com
Fedora : http://quaid.fedorapeople.org
gpg key : AD0E0C41
_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 09-02-2008, 08:19 PM
Mike McGrath
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Tue, 2 Sep 2008, Karsten 'quaid' Wade wrote:

>
> On Sat, 2008-08-30 at 22:36 -0500, Mike McGrath wrote:
>
> > If this becomes a real problem (or if it is already) we can just
> > create a
> > policy against this sort of thing and enforce it on a per complaint
> > basis.
>
> It sounds as if it has become a real problem. Can Infrastructure put
> together a policy it can enforce? Then please let this know for a round
> of sanity checking.
>
> BTW, I have two accounts (kwade, quaid), with "legitimate" reasons for
> having two that were not (previously?) covered by FAS capabilities. I
> think I see a clear path from here for consolidation, but it may not be
> for everyone. Folks will appreciate having some process and time to
> sort out the how and why.
>

Hopefully someone who can write mo' betta can fix it but:

http://fedoraproject.org/wiki/Infrastructure/AccountSystem#Account_Termination

As far as I'm concerned, that goes in to place at the end of the week if
no one has any problems with it. At that time the Infrastructure Team
will start fielding complaints and we'll start contacting people and
disabling accounts who are in violation.

Questions comments? Speak up!

-Mike

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 
Old 09-02-2008, 10:27 PM
Josh Boyer
 
Default One person - several FAS accounts? (was: bodhi abuse?)

On Tue, Sep 02, 2008 at 03:19:35PM -0500, Mike McGrath wrote:
>Hopefully someone who can write mo' betta can fix it but:
>
>http://fedoraproject.org/wiki/Infrastructure/AccountSystem#Account_Termination
>
>As far as I'm concerned, that goes in to place at the end of the week if
>no one has any problems with it. At that time the Infrastructure Team
>will start fielding complaints and we'll start contacting people and
>disabling accounts who are in violation.
>
>Questions comments? Speak up!

I would phrase the last sentence as "Multiple accounts for an individual
person needs FESCo approval."

Of course, this will need to be detected and acted upon to really have any
meaning at all. And while the policy is fine, there's really not much you
can do about people using "anonymous" hotmail/yahoo/gmail/etc accounts.

Really, this is just to keep the honest people honest.

josh

_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
 

Thread Tools




All times are GMT. The time now is 04:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org