#tor-meeting log

15:00:44 <gaba> #startmeeting Tooling meeting 15 September 2020
15:00:44 <MeetBot> Meeting started Tue Sep 15 15:00:44 2020 UTC.  The chair is gaba. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:44 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:01:11 * anarcat waves
15:01:21 <gaba> o/
15:01:32 <gaba> let me create a pad so we start this is as a proper meeting
15:02:39 <gaba> The idea for this meeting is to talk about gitlab so we can move forward and resolve challenges we have right now
15:02:44 <gaba> but also about toolig in general
15:02:53 <gaba> pad in http://kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion/p/tor-tooling-meeting-pad-2020-keep
15:07:39 <anarcat> who else is here?
15:08:38 <gaba> mmm, it seems that is just you and me
15:08:41 <anarcat> whee
15:08:44 <gaba> ahf was going to be here
15:08:45 <gaba> anyway
15:08:54 <juga> i'm here, but probably don't have much to propose
15:08:55 <anarcat> hi! :)
15:09:00 <anarcat> hello juga !
15:09:14 <juga> hi anarcat
15:09:20 <gaba> hi!
15:09:50 <gaba> the main issue I wanted to discuss today is the stuff about guest accounts
15:09:54 <gaba> and how people report issues
15:09:59 <ahf> hep
15:10:00 <ahf> i am here
15:10:06 <gaba> o/
15:10:09 <ahf> i was sitting at another computer sorry
15:10:24 <gaba> hi juga!
15:10:27 <gaba> ok
15:11:05 <gaba> please add anything you may need to discuss in the agenda: http://kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion/p/tor-tooling-meeting-pad-2020-keep
15:11:07 <ahf> guest accounts sounds good. i think i need some direction for what is next for the lobby stuff there
15:11:23 <ahf> i don't have anything else for this week, but i think we will find stuff as we go on with that
15:11:29 <gaba> the issue is that I feel that reporting bugs right now require a lot of steps
15:11:41 <ahf> yep
15:11:42 * nickm lurks
15:11:48 <ahf> o/ nickm
15:11:51 <gaba> people are reporting issues in the notes of https://gitlab.onionize.space/
15:12:16 <ahf> yep, and some bots are just copying the "pre-filled" message in the signup form too :-/
15:12:45 <anarcat> bots are cracking the signup form?
15:12:48 <gaba> oh, I didnt realize that
15:13:06 <ahf> anarcat: not cracking, there is nothing to crack
15:13:14 <ahf> they just put in the same text as we have as suggested text
15:13:21 <ahf> which is something like "I wish to report an issue in Tor Browser"
15:13:47 <ahf> gaba: let me just find a ticket from nickm for a while ago
15:14:21 <ahf> is this: https://gitlab.torproject.org/tpo/tpa/gitlab-lobby/-/issues/1
15:15:41 <ahf> maybe we need to handle the contribution of first tickets as the first thing here? and then work towards merging the steps later?
15:16:34 <gaba> I wonder how bad things will get if we just open registration
15:17:18 <ahf> i think we will see spam if we open registration on the gitlab page itself. i think if we open registration via an external tool then we wont see much spam at all
15:17:31 <ahf> we can try the former though and see how bad it goes?
15:18:21 <nickm> if we're going to do that we should make a note that it's experimental and we'll go back to the current thing if there's spam
15:19:14 <gaba> tbh i have no idea what other way we can improve this.
15:19:31 <ahf> nickm: yep
15:19:50 <ahf> gaba: is cool, it means that i can focus on anonymous submissions and moderation of that for the lobby if we do that
15:20:03 <ahf> and just leave the code that is in there for now for sign-ups if we need to fall back to that
15:20:09 <gaba> ok
15:20:23 <gaba> we open it up and we check back in a week?
15:20:26 <ahf> it does mean that we give every user on the internet a bit of storage on the server for hosting projects there
15:20:40 <ahf> so we should probably be using the nice graphana view more that the sysadmin team gave us
15:20:44 <ahf> where we can see disk usage and such
15:20:56 <ahf> we had a downtime with gitlab last saturday that hiro solved for us, which was due to disk space
15:21:10 <ahf> which i think is because there is a lot of forking going on right now iwth the browser related projects and those projects are very big
15:21:22 <juga> to avoid spam with open registrations, doesn't gitlab have a captcha system? (though that would penalize Tor users probably)
15:21:27 * anarcat told-you-so's ;)
15:21:56 <ahf> juga: nope, it has a system where we can send usernames + the users IP to a third-party that says good/bad
15:22:06 <ahf> but we don't want to send all users info that way
15:22:15 <juga> ahf: make sense, thanks
15:23:33 <ahf> okay, so it sounds like we are ok with trying this as an experiment
15:23:56 <ahf> should i go ahead then and remove the sign-up text with link to the lobby sign-up and enable open registration?
15:24:08 <ahf> and we need to tell all the people who are currently doing moderation too
15:24:15 <gaba> +1 to try this for a week
15:24:20 <ahf> i can do that. the N is not very big, but it's like 10 people i think
15:24:24 <gaba> there is nothing in moderation queue right now
15:24:35 <ahf> yep
15:25:55 <gaba> ok. We should tell people doing moderation and ggus
15:25:59 <gaba> that is doing support
15:27:15 <ahf> ok, i can do that
15:27:37 <nickm> query: what abusive behavior could people do on gitlab that we would _not_ notice promptly?
15:28:37 <ahf> create a user, create a repo, put crap in repo
15:28:45 <gaba> limit to 5 repos
15:28:46 <ahf> generate todo list items
15:28:54 <ahf> spam existing issues
15:28:56 <gaba> maybe we should lower down the amount of projects they can create
15:28:58 <ahf> spam with new issues
15:29:14 <nickm> for "spam existing issues" or "spam new issues" we'd probably notice, right?
15:29:26 <gaba> they can create groups
15:29:35 <nickm> but 'create abusive repos' (eg copyright infringment, advertising) wouldn't necessarily get noticed fast
15:30:03 <ahf> nickm: ah, right
15:30:11 <ahf> nickm: yep
15:31:05 <gaba> I'm going to uncheck "Notify users by email when sign-in location is not recognized" that is related to https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/68
15:31:14 <ahf> i think i have enabled sign-up now
15:31:25 <anarcat> there was an interesting discussion about captcha workarounds on HN! recently, in case that's useful here https://news.ycombinator.com/item?id=24334657
15:31:55 <anarcat> the poster was facing a determined attacker that would deliberately subvert spam controls, and wanted to avoid reCAPTCHA (like us) so it's an interesting overview of possible solutions
15:32:13 <anarcat> some suggested SMS authentication, to give you an idea of how far the discussion went
15:32:24 <nickm> ahf: on the sign-up page do we have a disclaimer for "this is for tor only" and/or "this is open as an experiment. if we start getting spam or abuse, we'll have to lock this down again' ?
15:32:41 <ahf> no, i removed the part with "Account creation go to this page" text
15:33:36 <ahf> okay, now we are at this accounts stuff
15:33:44 <ahf> we have a lot of accounts that we have given access to via the lobby
15:33:48 <ahf> who have never logged in
15:33:54 <anarcat> many solutions involve major modifications to the software, of course, like shadow-banning, but also stuff like bayes filter and hooking up with stopforumspam.com which i did not know about
15:34:51 <ahf> i am not going to dive into a new captcha thing unless it gets made by the gitlab.com people
15:35:10 <ahf> we have a solution that took a very short amunt of time to do that we can fallback to if this doesn't work, which requires manual moderation
15:35:32 <nickm> ahf: we should probably have a process to disable inactive accounts after a long time then
15:35:37 <gaba> ahf: we said we were going to remove accounts that were never used or not used for an X amount of time, right?
15:35:47 <ahf> gaba: we have a ticket for it, but then i went on vacation
15:35:55 <ahf> so there is no code to expire accounts right now
15:36:11 <anarcat> ahf: i guess i mention this as a future reference, and in case you want to implement some heuristics in the signup form itself
15:36:18 * gaba needs to go through gitlab tickets... had not time for it yesterday
15:36:23 <anarcat> i'm not proposing we start patching gitlab, obviously :p
15:36:27 <ahf> anarcat: nods
15:37:20 <ahf> if this experiment with sign ups seems to work OK, do we agree that the next important thing for a lobby application to do is to handle anonymous submissions? i feel bad for the people who requested this *very* early in the gitlab migration process and keeps being postponed for them
15:37:26 <ahf> and they all want to help moderate it
15:37:29 <anarcat> https://gitlab.torproject.org/tpo/tpa/gitlab/-/boards likes a prioritized todo list
15:37:34 <anarcat> if maybe out of date :)
15:37:47 <anarcat> i thought https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/21 was done already
15:38:09 <ahf> it hasn't been moved away from my account
15:38:17 <anarcat> ah
15:38:21 <ahf> only the lobby has been moved to tpa/
15:38:23 <anarcat> seems like a low hanging fruit ;)
15:38:26 <ahf> yep
15:38:52 <gaba> +1 to figure out anonymous submissions
15:39:43 <ahf> okay, if that is the next step i think i will next week talk a bit with geko about how we should do it. he has been giving me some feedback already when we talked about it earlier in the process
15:40:25 <ahf> the irc bot with the short-hands for MR's and issues have been running without an exception now since it was started last time, so that is good
15:40:36 <ahf> it should probably be moved to tpo/tpa/ too so people can submit issues/feature requests there
15:41:08 * anarcat nods
15:41:15 <ahf> maybe at some point we can disable the long-form ticket ID handling of zwiebelbot as 'tor' already does it
15:42:19 <ahf> also, we should probably try to encourage people who have tooling suggestions/need help to come to these meetings. i like that they have been renamed from gitlab to just be about tooling
15:42:29 <ahf> i hope people will come with input/suggestions via that :o
15:42:37 <anarcat> seems like we should prioritize https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/11 as well
15:42:45 <ahf> yeah lol
15:42:57 <ahf> deadline june 26
15:43:02 <gaba> ...
15:43:03 <ahf> it is like high school all over
15:43:23 <anarcat> anyways, yeah, someone (tm) needs to walk through those tickets
15:43:25 <ahf> maybe we can announce it now that we have open registration? :-)
15:43:48 * gaba will walk through the tickets this week before next meeting
15:43:55 <anarcat> awesome gaba, thanks!
15:45:08 <ahf> yeah, very nice!
15:46:20 <ahf> at some point i would like to hear people out what they find annoying with GL or what works well or what they wish they had. the first 2 months had a lot of support, but these days there is not much
15:46:25 <ahf> and people seems to be using the CI too
15:46:55 * ahf has nothing more for today :o
15:48:28 <gaba> yes, I would love to do a retrospective on this
15:48:41 * anarcat is slightly annoyed with the wikis, but is happy to have switched from trac :)
15:48:41 <gaba> I have marked a retrospective in the calendar in october for all hands
15:48:45 <anarcat> cool
15:48:50 <gaba> i'm annoyed with peermissions
15:49:01 <gaba> and wikis not open for everybody in the internet world
15:49:29 * gaba has no more stuff. we can bring all this in a next meeting
15:49:42 <gaba> #endmeeting