openid on the wiki?

Karsten 'quaid' Wade kwade at redhat.com
Wed Jan 25 21:35:04 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2012 02:45 AM, Ewoud Kohl van Wijngaarden wrote:
> On Wed, Jan 25, 2012 at 10:17:43AM +0200, Itamar Heim wrote:
>> On 01/25/2012 06:03 AM, Karsten 'quaid' Wade wrote:
>>> On 01/24/2012 03:40 PM, Ewoud Kohl van Wijngaarden wrote:
>>>> I have no experience with mediawiki + openid myself, but
>>>> maybe giving it a go and monitor it would be good enough for
>>>> now.
>>>> 
>>>> Possible downsides: - Spammers use openid to spam
>>>> 
>>>> Possible upsides: - More open to new people - People can use
>>>> a single account for both gerrit and the wiki
>>>> 
>>>> Since the wiki edits are also shown on IRC I think spam would
>>>> be caught fast enough and in the worst case the change could
>>>> be reverted.
>>> 
>>> That's a good point, the wiki edits are watched that way more
>>> carefully.
>>> 
>>> What would our reaction be if we started to see spam edits via
>>> OpenID accounts?
>>> 
>>> * Can we easily disable those accounts? * Would we revert to
>>> not using OpenID? ** Sometimes spammers seem to be doing
>>> test-spam on a wiki, so a few scattered edits might be
>>> preparation for an onslaught.
>>> 
>>> Also consider all this in terms of who is taking care of the
>>> wiki. We don't (yet?) have enough individuals or a team that
>>> seem to be taking on any wiki management tasks.
>>> 
>>> So a spamming situation could rally such folks, but it could
>>> also kill the energy while in the crib by overwhelming it with
>>> spam pages from incrementally more spam accounts.
>>> 
>>> I'm reacting a bit here to e.g. more wiki pages being
>>> incorrectly named than not, so a lot of wiki gardening required
>>> still. OTOH, I am very much in favor of lowering barriers as
>>> much as we can. I'd like to proceed with this discussion and
>>> just figure out a way to counterbalance the risks, etc.
>> 
>> can we separate the openid support for authentication (so people
>> can user same user/password) from authorization (can an openid
>> account do something)?
>> 
>> so we would still have the process of an existing user has to
>> give edit permissions to an openid user?
> That could be a mitigation in case we do get spammers.
> 
> I'm wondering how wikipedia handles this since that's an open wiki
> using the same software. Using an extension for authentication
> makes us a non-standard target and thus harder.

AIUI, a large part is the legion of volunteers who revert spam edits.

All of the protection tools, such as Captchas, are reportedly cracked
by spammers.

> I think it's important, if not vital, for an open source project to
> have a low barrier to join. Making it easy to do small fixes on the
> wiki could help get people more involved.

This I do agree with, and wrote in to The Open Source Way handbook:

https://www.theopensourceway.org/wiki/How_to_loosely_organize_a_community#Use_lightweight.2C_open_collaboration_tools_-_wikis.2C_mailing_lists.2C_IRC.2C_version_control.2C_bug_trackers_-_and_give_out_access

... and then as a project, struggle with how to handle the wiki auth.

(Short URL of above: http://bit.ly/TOSWOpenTooling )

> So in short I think using openid authentication and open
> authorization will benefit the project at an acceptable risk of
> spammers. If we do notice spammers we can switch to user
> authorization with manual approval of users or in the worst case
> fully disable openid and revert to the current workflow.

Are you able to volunteer to help with wiki gardening? In specific,
keeping things cleaned up if we do get a spammer - reverting changes,
deleting accounts, etc.

If we can get enough of us to watch things with commitment, then I'm
much more comfortable with the idea of rolling out OpenID.

- - Karsten
- -- 
name:  Karsten 'quaid' Wade, Sr. Community Architect
team:    Red Hat Community Architecture & Leadership
uri:              http://communityleadershipteam.org
                         http://TheOpenSourceWay.org
gpg:                                        AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPIHWI2ZIOBq0ODEERAiioAJ96Cc0ZKm7ZvnaFfQAnrHhvla0e9wCdG4c4
AIOT2IIfTrJ8qtN47c96hcw=
=D3ho
-----END PGP SIGNATURE-----

More information about the Infra mailing list