Advogato blog for 8191

7 Apr 2010

Wed, 7 Apr 2010 11:59:30 GMT

Playing whack-a-mole with spammers gets old after a while. Advogato needs at the very least some sort of e-mail confirmation before a new user can post.

6 Feb 2010

Sat, 6 Feb 2010 17:51:04 GMT

It's way to easy to do hit-and-run spamming on Advogato. It's so easy to automate, I'm surprised that the recentlog isn't completely dominated by spam. The reason it didn't happen yet is probably that the spammers are, well, dumb (evidence: they don't understand nofollow), but one can't rely on security through stupidity forever. Here's a very simple suggestion, which I volunteer to implement in case the Advogato community agrees: instead of asking for a password on registration, create a random password and mail it to the user; the user should then be able to change the password when she logs in. A password reminding mechanism already exists.

6 Feb 2010

Sat, 6 Feb 2010 14:05:15 GMT

A user becomes a Journeyer with a single certification, from another user who was, in turn, certified by a single user. I see a problem there. There's way too much trust passing through a single vertex in the graph.

Let's put on our Dijkstra hats and think of a solution. Here's one possibility: create a special vertex - let's call it the "sink". Create edges from every vertex in the graph to the sink (the weight of this edge would need to be tweaked a bit). This would add some "leaking" to trust, and help avoid this sort of situation. The actual masters would continue to be masters, but users with few certifications would see their ratings decreased.

An objection to that solution: it would be hard for vertices that are far from the sources to get their ratings raised. But I don't think there are that many "hops" from the sources to vertices that truly deserve trust.

Edit: looks like I misunderstood how the trust metric works. I assumed that mod_virgule would somehow find the sinks in the graph before running the network flow algorithm, but that wouldn't work, since sinks may not even exist (and they probably don't). All vertices are already connected to a single "supersink" - there's no other way. And the problem of users far from the sources not getting certified already exists.

Anyway, there already is a way to attain the proposed "solution", which doesn't even involve code changes: simply decrease the node capacities as a function of source distance; this is defined in config.xml, inside the <caps> tag.

4 Feb 2010

Thu, 4 Feb 2010 17:44:11 GMT

I like my new bright green color. Thanks everyone!

4 Feb 2010

Thu, 4 Feb 2010 13:29:25 GMT

Wow, looks like the recentlog is a goner. Maybe Advogato needs captchas? It doesn't take a genius to automate this sort of attack.

3 Feb 2010

Wed, 3 Feb 2010 08:20:19 GMT

Did a small update to the latest patch. Still thinking about how to add threading to diary entries.

1 Feb 2010

Mon, 1 Feb 2010 19:26:04 GMT

A patch for mod_virgule that adds editing and threading for article replies is here (screenshot). The page layout may need a bit of work, but I don't think it introduces any obvious security holes. Unfortunately article_generic_submit_serve got even messier.

I think some of this can be factored out and used to add threading for blog entries.

28 Jan 2010

Thu, 28 Jan 2010 16:31:32 GMT

redi: good point. Thanks for commenting!

I started to add threading to article comments, as mentioned in my previous post. It's looking like this. I'm not sure if certification levels should be rendered in that case.

28 Jan 2010

Thu, 28 Jan 2010 10:51:36 GMT

Most of the same code used by mod_virgule to manage and render article replies could be used to allow replies to diary entries. Diary replies could be rendered only when viewing a specific diary entry (and not in the recentlog or when viewing someone's page). Rendering a link saying "this diary entry has 5 comments" would require a virgule_db_dir_max call, but that wouldn't be too horrible.

Reply threading, with proper indentation, would be nice to have as well. One way to do that would be to add a parent key field to replies, and a tree would be built in memory before rendering. The existing database wouldn't need to be changed. All replies to an article or diary entry would need to be read to memory before rendering, but it wouldn't be that much more expensive than what's being done by the current code. Maybe the depth of the reply tree would need to be limited somehow.

27 Jan 2010

Wed, 27 Jan 2010 20:35:55 GMT

In this brave new era of Web 2.0, rounded corners, and self-important "engineers" riding the latest faddish web framework bandwagon, the idea of a web site written as a C module for Apache is intriguing. I seem to have arrived a bit late to the party, but I hope I can still somehow contribute to (what's left of) this community.

I wrote a patch for mod_virgule that allows the editing of article comments. Here it is.