I would like to add a comment on this page: https://wiki.openmrs.org/display/docs/Maven+Release+Process but i do not see the comment text box that i used to. Am logged in. Is there something am missing?
Oh i see! Thanks @darius
We should (and will) try to find a way to get back to allowing comments, but we need first to grow our infrastructure team so we have time for people to work on this. Currently, allowing anyone with an OpenMRS ID to comment or edit on the wiki/jira leads is too easy for spammers.
Ideally, through improvements to OpenMRS ID and leveraging Talk Badges, we should be able to build a web of trust, where people who have established they are not spammers are able to access all features, including comments.
I think it’s just a matter of managing permissions. Anonymous users should not be able to add comments.
I just created a comment in https://wiki.openmrs.org/display/docs/Maven+Release+Process
@lluismf yes i saw your comment. Is my account regarded as anonymous?
Possibly it’s because I have temporary admin permissions on JIRA (didn’t know about Confluence). The group confluence-users has the Add/Delete Comments disabled. Everybody belongs to this group.
Yes, I believe this is because @lluismf is a JIRA admin.
Anonymous vs authenticated isn’t a good enough filter to prevent spammers, because anyone can get an OpenMRS ID without having to prove anything. (The spam was all coming from “real” users, i.e. those thousands and thousands of people with OpenMRS IDs.)
Actually Lluis, it’s a little more problematic then that.
Bots were able to defeat our OpenMRS ID signup process (including CAPTCHA), and were creating accounts, which were then… going to create spam.
So, it’s more than just a permission issue, unfortunately.
I’ve added add/delete comments permission to the jira-administrators group (17 members). Daniel should be able to add comments now.
@lluismf am still not able to. Even after logging out and back in.
I had to add permissions at space level (space: Documentation, group: jira-administrators).
Actually I see little reason for comments. captchas are beatable easily, and those that cannot be beat can have a human be paid to solve them. I see little point in allowing comments. Unless you wanna be the one deleting all the spam, by all means. We’d need to moderate EVERY comment that came through.
Did you actually just say you see little reason for comments… in a comment?
Actually comments on the wiki can be extremely useful. They are a far lower barrier for people to contribute than editing a page. They also support threaded conversation about the page far better than page edits can. My point wasn’t that we would open up comments to spammers or possible spammers. In fact, when we can re-enable comments, we shouldn’t need captchas for them, since we would only allow them for trusted members of the community – i.e., “people who have established they are not spammers.”
- Aim for OpenMRS ID registration that requires human interaction, so the only spammers who can register are those using humans, not bots, to register.
- Create mechanism(s) to tag accounts as spam accounts within OpenMRS ID (LDAP) in a way that is accessible to group of trusted persons – e.g., any /dev/3+ who sees spam should be able to easily tag it as such and this would trigger the account to get labeled.
- Create tools/scripts to automatically clean out content created by accounts marked as spam accounts, so identifying a spammer in on location of the OpenMRS universe will clean up any messes they’ve made throughout (at least as best & as automated as we can manage).
- Create a recipe for recognizing an account as non-spam with >99.9% accuracy – e.g., an account that has introduced themselves, had interactions with the community (back & forth conversations), ± a badge that any /dev/2+ could hand out that would both attest to an account being valid (non-spam) and record who attested (so if the account was later recognized as spam, the attestor would be at risk as well).
Yup. Irony at its finest probably.
I think only
/dev/2+ should be able to comment. I don’t think we should have conversations there. They should happen here. This means they’re established and will prevent sayy GSoC students from commenting on the wiki page for the projects they are interested in.
Easier said than done. Trust me. Even Captchas aren’t perfect and will only partially solve this.
Didn’t you already try to do database changes with atlassian’s db once and REALLY screw up…let’s not.
This is a future feature for the new ID Dashboard User Management Dashboard. It’s pretty hard to do it.
Michael may have gone into the database. Personally, I’ve never nor would never want to risk manually touching an Atlassian database (other than backing it up). I wouldn’t want to risk introducing something not anticipated by their semi-automated upgrade process.
I wouldn’t try to build all the support into OpenMRS ID; rather, just start with a couple of additional attributes on accounts: (1) spam flag and (2) attestor ± date attested. If we had an API to check & set those attributes on OpenMRS ID accounts, we could leverage them via scripts/plugins. Extra credit would be to expose an API or feed of recently tagged spam accounts (for scripts to poll).
It wasn’t just Michael who said that – and that’s so not the truth, nor is it what happened. How do I know this? Well simple, Michael would have taken a backup before doing anything like that…without the need of Atlassian support to become involved. It’s sysadmin 101.
If comments are allowed to specific groups, and belonging to a group must be obtained on demand (sending an email to the Confluence admin) it’s perfectly possible to avoid bot generated spam comments.
That’s the current way we’re doing things. I’m granting access to jira to anybody who asks, but confluence is being more tightly controlled. We could always add an ldap group for this…
I believe that many users created by bots do have fake e-mails / e-mails created also by bots. If confirmation by e-mail is required we could prevent most of them. Unless they are really sophisticated bots than can bypass captcha AND answer e-mails like humans.