On 20/02/2019 10.48, Alex Christoph Bihlmaier wrote:

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

Who is in charge of it? I think we should deal with it.

I don't see spam there, the page has not been hacked as far as I can see. https://connect.opensuse.org/ Besides that, I don't know if the site is working or maintained. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)

AFAIK Connect was declared soon to be dead some time ago. Best, Maurizio Galli (MauG) On 2/20/19, Alex Christoph Bihlmaier wrote:

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

Who is in charge of it? I think we should deal with it.

cheers Alex -- ** Jabber thalunil@kallisti.at **

-- Maurizio Galli (MauG) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Am 20.02.19 um 11:19 schrieb Maurizio Galli:

AFAIK Connect was declared soon to be dead some time ago.

I would vote for that +1 :) thanks thal -- *** Jabber thalunil@kallisti.at

On 20/02/2019 22.47, Fraser_Bell wrote:

On 2/20/19 1:48 AM, Alex Christoph Bihlmaier wrote:

...

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

Who is in charge of it? I think we should deal with it.

cheers Alex

Nobody is willing to take charge of it:  Short answer, complaints are made -- especially on the mailing lists -- but nobody will step up to do the job.

It has long been known that the openSUSE Board and other overworked Contributors have agreed that Connect should be closed, but there is a catch:

The only system for managing the openSUSE Membership and the list of openSUSE Members is Connect.

A replacement setup needs to be created, not on Connect, and without the Social Media notion.

It will require a secure database of the Members, so it can be checked for who qualifies for voting privileges, for example, plus a way for Contributors to apply for Membership, and a way for those who are permitted to check Memberships to be able to do so.

Until someone steps up to take on that task, we are stuck with it the way it is.

Can the posting be blocked? -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)

On Thu, 21 Feb 2019 at 09:35, Maurizio Galli (MauG) wrote:

AFAIK Connect was declared soon to be dead some time ago.

Perhaps the way to deal with the spam is to pull the plug ASAP?

Pull the plug without a replacement for the Membership and the Membership application process and we'll be on course for not electing a new Board and having a constitutional crisis in the future https://en.opensuse.org/openSUSE:Membership_officials#Process describes the current process and the requirements for such a replacement.

On 2/20/19, Alex Christoph Bihlmaier wrote:

...

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

Who is in charge of it? I think we should deal with it.

cheers Alex -- ** Jabber thalunil@kallisti.at **

-- Maurizio Galli (MauG) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

-- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On Thu, 21 Feb 2019 at 10:02, Matthias Brugger wrote:

...

Obviously it would be much nicer if the solution didn't involve google docs so hopefully someone can come up with something before connect completely dies and we have to use it as a method of last resort. We don't need something complex however under GDPR we do need to ensure that only the people that need access to the info have it.

You can do that with a nextcloud instance. So the question would be if someone wants to set that up and maintain it...

Or you create an internal email list for board + heroes where you post such requests.

The Board absolutely do not have anything to do with approving Memberships - that would be a rather large conflict of interest, selecting who would be empowered to vote for them ;) That's why we have a Membership Committee - https://en.opensuse.org/openSUSE:Membership_officials#Process -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On 21/02/2019 09.34, Simon Lees wrote:

On 21/02/2019 08:17, Fraser_Bell wrote:

...

On 2/20/19 1:48 AM, Alex Christoph Bihlmaier wrote:

...

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

Who is in charge of it? I think we should deal with it.

cheers Alex

Nobody is willing to take charge of it:  Short answer, complaints are made -- especially on the mailing lists -- but nobody will step up to do the job.

It has long been known that the openSUSE Board and other overworked Contributors have agreed that Connect should be closed, but there is a catch:

The only system for managing the openSUSE Membership and the list of openSUSE Members is Connect.

A replacement setup needs to be created, not on Connect, and without the Social Media notion.

It will require a secure database of the Members, so it can be checked for who qualifies for voting privileges, for example, plus a way for Contributors to apply for Membership, and a way for those who are permitted to check Memberships to be able to do so.

Until someone steps up to take on that task, we are stuck with it the way it is.

If someone wants to work on this it really wouldn't be hard, the last board discussed it in our face 2 face then I guess ran out of time to do something.

Given our new membership rules require much less checking, the new process could be as simple as a mailing list where people request membership stating why they should have it, then a member of the membership committee could approve the request presuming it meets the requirements and add there handle, email, preferred 0.0 email address and irc cloak to a google docs spreadsheet then a member of the hero's could be contacted to setup the mail forwarder and irc cloak. Only the Membership committee and Board would have access to the spreadsheet.

Obviously it would be much nicer if the solution didn't involve google docs so hopefully someone can come up with something before connect completely dies and we have to use it as a method of last resort. We don't need something complex however under GDPR we do need to ensure that only the people that need access to the info have it.

I understand that is what is needed for the new thing. But what is needed to clear the spam on opensuse-connect, which is the current thread subject? If I were to volunteer for that, what would I need to do? It seems to me that it is another forum. I know nothing of maintaining a forum in order to reduce spam, so all I can think of is manually deleting posts and killing those posters, but if they keep coming I have no idea how to block them. If the things to do involve maintaining that software, I know nothing about that software. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)

On 21/02/2019 19:32, Matthias Brugger wrote:

On 21/02/2019 09:34, Simon Lees wrote:

...

On 21/02/2019 08:17, Fraser_Bell wrote:

...

On 2/20/19 1:48 AM, Alex Christoph Bihlmaier wrote:

...

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

Who is in charge of it? I think we should deal with it.

cheers Alex

Nobody is willing to take charge of it:  Short answer, complaints are made -- especially on the mailing lists -- but nobody will step up to do the job.

It has long been known that the openSUSE Board and other overworked Contributors have agreed that Connect should be closed, but there is a catch:

The only system for managing the openSUSE Membership and the list of openSUSE Members is Connect.

A replacement setup needs to be created, not on Connect, and without the Social Media notion.

It will require a secure database of the Members, so it can be checked for who qualifies for voting privileges, for example, plus a way for Contributors to apply for Membership, and a way for those who are permitted to check Memberships to be able to do so.

Until someone steps up to take on that task, we are stuck with it the way it is.

If someone wants to work on this it really wouldn't be hard, the last board discussed it in our face 2 face then I guess ran out of time to do something.

Given our new membership rules require much less checking, the new process could be as simple as a mailing list where people request membership stating why they should have it, then a member of the membership committee could approve the request presuming it meets the requirements and add there handle, email, preferred 0.0 email address and irc cloak to a google docs spreadsheet then a member of the hero's could be contacted to setup the mail forwarder and irc cloak. Only the Membership committee and Board would have access to the spreadsheet.

Obviously it would be much nicer if the solution didn't involve google docs so hopefully someone can come up with something before connect completely dies and we have to use it as a method of last resort. We don't need something complex however under GDPR we do need to ensure that only the people that need access to the info have it.

You can do that with a nextcloud instance. So the question would be if someone wants to set that up and maintain it...

Well possibly a bigger question is does the openSUSE project have any hardware capable of / accessible to the hero's to install such an instance.

Or you create an internal email list for board + heroes where you post such requests.

The problem is storing the data, in a controlled way but having a mailing list for the request part is easy. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Hey, Le jeudi 21 février 2019, à 11:41 +0100, Richard Brown a écrit :

On Thu, 21 Feb 2019 at 11:01, Lars Vogdt wrote:

...

openSUSE membership can be managed via paper. Setting up Email aliases and IRC cloaks can be stopped until there is a new tool established. Lost trust and data because of security breaches is way harder to restore and will result in much more work for everyone.

I wholeheartedly agree, which is why the recent changes to the process and requirements for new "tooling" written as loosely as they were. (pen and paper is a "tool") We took great care to make sure the door is wide open for innovative solutions to the problem. But, the problem should not be exacerbated by the actions of other contributors. That's simple good behaviour under our Guiding Principles. To give an equivalent example.

Badly maintained package gets removed from our distributions. In these cases, the maintainer is expected to drive forward the situation, meaning the maintainer is expected to announce the intention of removing the package, the maintainer is expected to drive the mitigation of the removal of the package.

That might mean talking to others and encouraging them to take on the problem, that might mean posting general calls for help on the mailinglists.

I think those expectations carry out to situations like this just as well.

Like a key package in our distributions, connect.o.o provides a key service upon which the entire governance structure of this Project is built upon.

You're describing the graceful way of retiring a package / service. But when the graceful way has been failing for years (which is the case here), I think it's fair to just retire the thing and deal with the consequences in a reactive way. [...]

As we're talking about changes to the Governance structure, any such changes need to be done with the consent of the project as a whole. [...]

This is not a change to the governance structure; it's a change in where and how information is stored. The governance structure would not be impacted by this -- or if it would, can you elaborate how? [...]

We can't just have people randomly turning off services which provide key planks to the project. If OBS dissapeared tomorrow without replacement we wouldn't have any distributions. If connect.opensuse.org disappears tomorrow we don't have any Project members.

If the relevant info is exported, why would we not have any project members anymore?

Quite often, when other topics with a Project-wide impact but no clear owner, such things end up on the Board's desk, as the escalation point of last resort. But we're talking about the very process which selects who can vote for the Board.

No. We're not talking about the criteria that are used to evaluate if somebody should be a member or not. We're talking about a tool that is used to facilitate the work of the membership officials. And honestly, if we're concerned by a conflict of interest, the first thing to change would be this: "Membership officials are appointed by the openSUSE Board." [...]

This isn't the first time I've asked this question on a public stage, but in the hope that this time I get an answer; Who volunteers to tackle the problem with connect.o.o and drive forward a solution?

I would give this request a deadline of a week or two max, and then simply export the data and shut down connect.o.o. Yes, it'll be painful for the membership officials (and I'm sorry for this, as playing that role is already something that doesn't bring much recognition). But I trust the membership officials would find a way to deal with this. Cheers, Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Le 21/02/2019 à 14:23, Vincent Untz a écrit :

I would give this request a deadline of a week or two max, and then simply export the data and shut down connect.o.o.

I support this, also because we just have a new board, so we have time to solve the problem before next ballot jdd -- http://dodin.org -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Le 21/02/2019 à 15:32, Lars Vogdt a écrit :

As such, maintaining 447 [1] openSUSE members should not depend on a single tool. Especially not if the used tool has open, well known security issues since years[2].

use "galette"? free membership management :-) jdd -- http://dodin.org -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On czw, lut 21, 2019 at 11:01 AM, Lars Vogdt wrote:

Hi

Sorry for the long Email below, but the topic is triggering something in me that I can not hold any longer. Before you proceed reading, please note that I am speaking here as openSUSE member, not more, not less. I also don't want to attack anyone personally, just want to make clear where I see problems from my personal point of view.

On Thu, 21 Feb 2019 09:39:11 +0100 Richard Brown wrote:

...

On Thu, 21 Feb 2019 at 09:35, Maurizio Galli (MauG) wrote:

...

AFAIK Connect was declared soon to be dead some time ago.

Perhaps the way to deal with the spam is to pull the plug ASAP?

Pull the plug without a replacement for the Membership and the Membership application process and we'll be on course for not electing a new Board and having a constitutional crisis in the future

https://en.opensuse.org/openSUSE:Membership_officials#Process describes the current process and the requirements for such a replacement.

Getting a replacement should not be that hard. I could imagine anything from a Next-/Owncloud instance (with nice, additional features) over to something designed especially for membership management tasks like https://www.admidio.org/ for example.

But I see another, real problem: the amount of people willing to administrate and maintain all the infrastructure behind openSUSE is meanwhile down to less than a handful of people - and those need to be real super heroes as meanwhile they do not only need to administrate the "backend stuff" (means: operating systems, storage & network stuff) but ALSO all the running applications. I don't know how they manage all this in their spare time, but they have my deepest respect and I wish there would be more volunteers.

If you want to get an idea about the current status, just take the systems listed at https://status.opensuse.org/ (and keep in mind that there are many more systems in the backend that are not listed there):

* download.o.o -> maintained by one person, if I'm right * planet.o.o -> more or less unmaintained - old, outdated software

There is an issue of upstream, it seems that there is no good upstream planet software, I have been working between the breaks on something that would work for us, but gave up after being tired of how annoyingly unsupported planet software seems to be. Also it's realistically a static website + CRON, and all reports of spam before on it were handled well by the admins.

* etherpad.o.o -> running outdated version, unmaintained

I might reuse the instance with matrix, considering riot has etherpad integration :thinking: (heroes, take me, I can fix this :x)

* icc.o.o -> down since weeks now, and nobody cares * lizards.o.o -> 4.7.5 vs. 5.0.3 including security problems (please correct me here, if I'm wrong)

Also dead, the only posters are YaST team, which should move to their own yast.opensuse.org, when I get to creating a jekyll theme for posts and stuff needed to migrate. I will create a ticket to provo to export database later today.

* news.o.o -> at least the current version, but updates are happening only on special request

Funny you should mention that, I requested database export from provo, no response this far (please provo, it's not this hard)

* features.o.o -> luckily to be shut down soon * progress.o.o -> old, outdated

And actively used ;)

* connect.o.o -> old, outdated - topic of this thread ...

To me it looks like more or less everything which is currently not in scope for SUSE employees is unmaintained.

Please note: this should not be an attack to anyone - especially not to the openSUSE heroes, who do their best to keep the systems up and running - but the openSUSE community should IMHO decide sooner than later IF and HOW these systems should be handled in the future.

Most of the web-applications listed above started because of enthusiastic community members who invested a lot of their spare time into this. They learned a lot and others found their work useful - everybody had a lot of fun during these days. But live goes on, and people start having other interests and went away. Others still find the systems useful and want to use them - they became legacy.

From my point of view, openSUSE as community is very bad in managing those legacy systems. While for some of them (like crashdb.o.o) the right approach was taken and the systems were shut down, others are still there and need someone who takes care.

Because it is not clear who is responsible for them, this is one critisizm I would commit towards heroes here :P

We have an infrastructure policy [1] that says: "All running servers will be evaluated every 6 month to determined continued need for the services provided. If a service is deemed outdated or the server hosts content that may no longer be needed the maintainer on record will be contacted to provide additional details. If no response is received within a 2 week period the server will be shut down."

So either we - as community - decide to delete this sentence completely (as we do not want to follow the policy), or we allow our openSUSE heroes to follow the policy and shut down the services listed above. Sounds simple and consequent, right?

Agreed

If there is a need, requested from whomever (and from my personal history I know the board resp. the membership committee is asking again and again to keep connect.o.o alive), this person/group either has to invest the time and resources to keep the service in question up-to date, secure and alive or had to agree that they need to search for something else and find someone who takes over the administration.

I personally left the openSUSE heroes for many reasons. But one reason clearly was that I did not want to take over the responsibility for services that I did not set up/developed or have any interest in. Many users seem to anticipate that "keeping a service up and running" is very easy. I say: no, it isn't. Keeping a service not only available but secure and adjusted to changes (like PHP5 -> PHP7 or Ruby 2.3 -> 2.5 as example) needs time and knowledge. Of course, you could re-install it or re-deploying your docker image every time it has been hacked, but my personal demands are way higher than that.

So: saying that we need to keep old, outdated, already spammed services up and running "because our users - or better, a small group of users - want or need them" -- fully inheriting the risk of security and data breaches (how many people have their personal data stored in connect?) is not the way I can support. Not the way I can accept. Not the way I want to see openSUSE running and handling the personal data of the own community.

And I agree, some of those services should __not__ be handled by dynamic websites, all we really need for news, planet is jekyll frontend generated locally, which cannot be breached or contain personal details. I really want provo to respond with news and lizards, so we can have way nicer looking and working website for news, and send people articles they wrote on lizards in the past, so they can put them up somewhere they desire. BUT that requires provo to be responsive :/

I already took the consequences and stepped back from the openSUSE heroes. Looks like I need to step back as openSUSE member as well, as this is really nothing I want to be involved with.

openSUSE membership can be managed via paper. Setting up Email aliases and IRC cloaks can be stopped until there is a new tool established. Lost trust and data because of security breaches is way harder to restore and will result in much more work for everyone.

And it basically is managed via paper, or more precisely via spreadsheet from what I heard. From my POV, this is the perfect time to take action, considering that SUSE has to move away from majority of infra anyway, due to buyout, openSUSE could implement stuff like FAS and noggin for login, pagure for code etc. If you are passionate about managing web services, heroes have their arms more open than any other "team" in openSUSE from my experience (take note everybody >:D). There are also two services that weren't updated in a long time, paste and lists, those need some serious work too, but I believe there was a plan to move to gnu mailman anyway, so hopefully hyperkitty will be a thing for openSUSE in the future. Paste though? Well, well, uhh... LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On 21/02/2019 23:53, Vincent Untz wrote:

Hey,

Le jeudi 21 février 2019, à 11:41 +0100, Richard Brown a écrit :

...

On Thu, 21 Feb 2019 at 11:01, Lars Vogdt wrote:

...

openSUSE membership can be managed via paper. Setting up Email aliases and IRC cloaks can be stopped until there is a new tool established. Lost trust and data because of security breaches is way harder to restore and will result in much more work for everyone.

We can't just have people randomly turning off services which provide key planks to the project. If OBS dissapeared tomorrow without replacement we wouldn't have any distributions. If connect.opensuse.org disappears tomorrow we don't have any Project members.

If the relevant info is exported, why would we not have any project members anymore?

We will still have members but will not have a way to add new members, keeping a couple of copies of the list somewhere secure probably isn't that hard but keeping it and its backups up to date and accessible by the right people isn't so simple. Yes we could just keep a piece of paper on Richard's desk but given he's in a open office from memory I doubt that would meet GDPR requirements. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Le vendredi 22 février 2019, à 10:27 +1030, Simon Lees a écrit :

On 21/02/2019 23:53, Vincent Untz wrote:

...

Hey,

Le jeudi 21 février 2019, à 11:41 +0100, Richard Brown a écrit :

...

On Thu, 21 Feb 2019 at 11:01, Lars Vogdt wrote:

...

openSUSE membership can be managed via paper. Setting up Email aliases and IRC cloaks can be stopped until there is a new tool established. Lost trust and data because of security breaches is way harder to restore and will result in much more work for everyone.

We can't just have people randomly turning off services which provide key planks to the project. If OBS dissapeared tomorrow without replacement we wouldn't have any distributions. If connect.opensuse.org disappears tomorrow we don't have any Project members.

If the relevant info is exported, why would we not have any project members anymore?

We will still have members but will not have a way to add new members, keeping a couple of copies of the list somewhere secure probably isn't that hard but keeping it and its backups up to date and accessible by the right people isn't so simple.

As said, it's something I would deal in a reactive way, and it's a matter of priorities. It's bad to not be able to update our list of members, but it's even worse to have connect.o.o up and running.

Yes we could just keep a piece of paper on Richard's desk but given he's in a open office from memory I doubt that would meet GDPR requirements.

I can't comment on the GDPR bit. But on top of the nextcloud/owncloud proposal and the galette proposal, I can suggest: - have a private git repo somewhere; could be the closed gitlab instance we have for the infra, could be just a git repo in a VM that is reached with ssh access - even a text file in a VM with only access from membership officials - temporarily have a bottleneck who would maintain the list in a secure way (not a piece of paper on a desk). And yes, the bottleneck could be Richard for instance. The "replacement" doesn't necessarily require somebody to step up and set up a new service. But again, what is important here is to retire a service that is not maintained, has security issues, and contains personal data. This should be the priority. Cheers, Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Am Freitag, 22. Februar 2019, 11:40:32 CET schrieb Richard Brown:

The "replacement" has the following clear requirements

1) Aspiring Members must have a way of applying to be a member. 2) This application must include some details of their contributions for the Membership Committee to verify. 3) The membership committee must have some way to coordinate their activities so the decisions to +1/-1 an application are honoured. 4) The decisions of the membership committee must have some way of being tracked 5) Some way of granting the perks of Membership (eg. opensuse.org email addresses and voting) must be provided

Currently only connect.o.o provides the above, and I do not yet see suggestions that address the above requirements

And I still don't see how a calc file couldn't solve all of these issues: 1) Email to membership-apply@o.o 2) Contents of the Email from 1) 3) Shared calc file 4) Shared calc file 5) Shared calc file plus creating email alias and adding the user to helios My impression is that this whole thing is grown overly complicated over the years. Let's just trim it and keep things both easy to use and to maintain. Regards, vinz. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On Fri, 22 Feb 2019 at 12:19, Vinzenz Vietzke wrote:

Am Freitag, 22. Februar 2019, 11:40:32 CET schrieb Richard Brown:

...

The "replacement" has the following clear requirements

1) Aspiring Members must have a way of applying to be a member. 2) This application must include some details of their contributions for the Membership Committee to verify. 3) The membership committee must have some way to coordinate their activities so the decisions to +1/-1 an application are honoured. 4) The decisions of the membership committee must have some way of being tracked 5) Some way of granting the perks of Membership (eg. opensuse.org email addresses and voting) must be provided

Currently only connect.o.o provides the above, and I do not yet see suggestions that address the above requirements

And I still don't see how a calc file couldn't solve all of these issues:

1) Email to membership-apply@o.o 2) Contents of the Email from 1) 3) Shared calc file 4) Shared calc file 5) Shared calc file plus creating email alias and adding the user to helios

My impression is that this whole thing is grown overly complicated over the years. Let's just trim it and keep things both easy to use and to maintain.

Again, you have totally missed my point Your observations regarding 1-5 above might be valid They might not Fact is, it doesn't bloody matter until you speak to the people impacted I'm not the Membership Officials, this is not the Membership Officials mailinglist. we're talking about changing the workflow and tools by those contributors. If I was a Membership Official, I would be bloody pissed off to find a mailinglist thread discussing the future work I would have to do without consulting with me first. Forget the bloody technology for a second, think about the people, start reaching out to them and talking to them. Until then, all this debate is hot air. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Richard, Le vendredi 22 février 2019, à 11:40 +0100, Richard Brown a écrit :

On Fri, 22 Feb 2019 at 09:23, Vincent Untz wrote:

...

The "replacement" doesn't necessarily require somebody to step up and set up a new service.

But again, what is important here is to retire a service that is not maintained, has security issues, and contains personal data. This should be the priority.

The "replacement" has the following clear requirements

[...]

Stomping feet and demanding servers are turned off is not going to accomplish that. Instead, please direct your energies to ensuring actions taken for good technical reasons don't produce larger personal and constitutional impacts for the Project.

I think we're not discussing exactly at the same level: I'm interested in what is most important to do. I will oversimplify this with a simple question to the board: Is it more important to enable people to become openSUSE members or to properly secure the data of existing openSUSE members? When I read your answer, I understand the former is more important. That's what I disagree with. And don't get me wrong: of course both are important, and ideally we'd do both; and yes, I'm oversimplifying and the world is not black and white. But I'm reading that we failed to take action on this for an extended amount of time, and the solution is not to wait for people to take action. Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On Fri, 22 Feb 2019 at 13:17, Vincent Untz wrote:

When I read your answer, I understand the former is more important. That's what I disagree with.

And don't get me wrong: of course both are important, and ideally we'd do both; and yes, I'm oversimplifying and the world is not black and white. But I'm reading that we failed to take action on this for an extended amount of time, and the solution is not to wait for people to take action.

I'll give you a black and white answer. It doesn't matter which you, or I, think is more important. The only thing that matters is what are the contributors to the openSUSE Project motivated to actually do. We can't create a solution out of thin are, and we shouldn't be in the business of making problems worse for the Project. People should be motivated and empowered to take care of the things that bother them. This is an echo of the view you yourself expressed when the topic of connect.opensuse.org first came up in your last face to face meeting as Chairman. The technical and practical realities have not changed in any material way since then. There's a problem, it needs addressing, but if no one in the community is willing to address it, then it almost certainly will end up lingering around until some people are motivated to address it. Maybe now this is finally the time, if so, great! But, in the burst of enthusiasm that this problem seems to be endearing, I think the most important than is we don't lose sight of the contributors impacted. In my view, the door is wide-wide open for a solution, but my view doesn't really matter. The only opinions that really do are the views of the people who will implement a new solution, the Membership Officials who'll have to use the solution, and the Heroes who'll have to decommission connect.o.o and handle any replacement. I'm not convinced the first group have taken the important steps of engaging closely with the latter 2 groups. Lets make sure we put the people first, that's all I'm advocating for here. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Am Freitag, 22. Februar 2019, 13:03:55 CET schrieb Richard Brown:

If I was a Membership Official, I would be bloody pissed off to find a mailinglist thread discussing the future work I would have to do without consulting with me first. Forget the bloody technology for a second, think about the people, start reaching out to them and talking to them.

This is the -project mailing list. The topic is relevant for the project, connect is part of the project's infrastructure. Furthermore I can see at least two membership committee persons in this thread literally asking where to help instead of being pissed. So, maybe your assumptions are just wrong and by pushing the technology aside you're derailing the discussion from it's boiling point: finding a solution for the problem instead of pointing towards symptoms.

Until then, all this debate is hot air.

Oh come on, seriously? Regards, vinz. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Am Freitag, 22. Februar 2019, 14:37:53 CET schrieb Richard Brown:

Facilitate communication with all areas of the community - this mailinglist is insufficient, the Heroes and Committee need to be involved, it's the Board's job to remind everyone here of that. Facilitate decision making processes where needed. - the Membership Officials and Heroes need to have their say in this decision, it's the Board job to remind everyone here of that.

I disagree. My idea is that this mailinglist distills one or more proposals and presents them to the people involved afterwards, fetching some comments, but mostly being fixed. If heroes and committee want to get involved into this process here's the place and people listening. Otherwise they somehow have to accept that their influx is limited in the aftermath. Requesting people to run around and ask everyone to get involved makes this mailinglist mostly pointless. And furthermore this attitude transports the message that any discussion here is worth nothing - as long as not everyone got is personal invitation to take part. (I'm exaggerating of course. But you get my point.)

Take care of those things, and we can all quite happily race ahead to a new solution, but, yes, seriously, I've got to remind everyone of the other sides of this issue.

Of course. You did that right at the beginning of this thread. Repeating it instead of sticking to the (somewhat technical) discussion is not necessary and gives the impression of an unwanted discussion topic. Regards, vinz. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Hi all (starting a new subthread, I'm not interested in the flame wars) Am 20.02.19 um 10:48 schrieb Alex Christoph Bihlmaier:

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

I looked at it. AFAICT, what the spammers do is: * get an openSUSE (microfocus.com) account * use this account to log into connect and then start throwing crap into the fan to distribute it. How can we solve it? 1) disable these accounts 2) block specific accounts on connect.o.o, even though they are still enabled 3) (not an option yet, see the flame wars) shut down connect.o.o 1) might be hard for the community, as the accounts are maintained by microfocus. Additionally, even an account that "we" (community) identify as a spammer, might still be a paying SUSE / Novell / Microfocus customer, and disabling the account might have unwanted consequences. 2) I have no idea if this is technically possible. Anyone with knowledge of the underlying system around that can tell us if this is possible? If 2) is possible, I would volunteer to go through connect.o.o and disable/block/whatever all accounts that are obvious spam. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On 23/02/2019 15.45, Stefan Seyfried wrote:

Hi all

How can we solve it? 1) disable these accounts 2) block specific accounts on connect.o.o, even though they are still enabled 3) (not an option yet, see the flame wars) shut down connect.o.o

1) might be hard for the community, as the accounts are maintained by microfocus. Additionally, even an account that "we" (community) identify as a spammer, might still be a paying SUSE / Novell / Microfocus customer, and disabling the account might have unwanted consequences. 2) I have no idea if this is technically possible. Anyone with knowledge of the underlying system around that can tell us if this is possible?

If 2) is possible, I would volunteer to go through connect.o.o and disable/block/whatever all accounts that are obvious spam.

I also volunteered for #2. But I don't know yet how to get access and how to get whatever information is available about the platform. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)

On 2/23/19 6:45 AM, Stefan Seyfried wrote:

Hi all

(starting a new subthread, I'm not interested in the flame wars)

Don't worry about flame wars. The Community looks like it is coming together on this to work on a solution. ;-)

Am 20.02.19 um 10:48 schrieb Alex Christoph Bihlmaier:

...

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

I looked at it.

AFAICT, what the spammers do is: * get an openSUSE (microfocus.com) account * use this account to log into connect and then start throwing crap into the fan to distribute it.

How can we solve it? 1) disable these accounts 2) block specific accounts on connect.o.o, even though they are still enabled 3) (not an option yet, see the flame wars) shut down connect.o.o

1) might be hard for the community, as the accounts are maintained by microfocus. Additionally, even an account that "we" (community) identify as a spammer, might still be a paying SUSE / Novell / Microfocus customer, and disabling the account might have unwanted consequences. 2) I have no idea if this is technically possible. Anyone with knowledge of the underlying system around that can tell us if this is possible?

If 2) is possible, I would volunteer to go through connect.o.o and disable/block/whatever all accounts that are obvious spam.

Thanks for stepping up. Glad to have you. -- -Gerry Makaro openSUSE Member openSUSE Global Moderator openSUSE Contributor YaST Contributor aka Fraser_Bell on the Forums, OBS, IRC, and mail at openSUSE.org Fraser-Bell on Github -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On 24/02/2019 01:15, Stefan Seyfried wrote:

Hi all

(starting a new subthread, I'm not interested in the flame wars)

Am 20.02.19 um 10:48 schrieb Alex Christoph Bihlmaier:

...

Hello dear fellow opensuse-enthusiasts!

I am wondering about openSUSE connect - there is a huge amount of spam on it and it really is not a shiny & bright representation of the openSUSE project.

I looked at it.

AFAICT, what the spammers do is: * get an openSUSE (microfocus.com) account * use this account to log into connect and then start throwing crap into the fan to distribute it.

How can we solve it? 1) disable these accounts 2) block specific accounts on connect.o.o, even though they are still enabled 3) (not an option yet, see the flame wars) shut down connect.o.o

1) might be hard for the community, as the accounts are maintained by microfocus. Additionally, even an account that "we" (community) identify as a spammer, might still be a paying SUSE / Novell / Microfocus customer, and disabling the account might have unwanted consequences.

Sometime in the not to distant future, if it hasn't happened already this will no longer be an issue as with the Microfocus - SUSE Split all the accounts should be duplicated / separated where needed, the only potential downside here is the people who can probably bulk disable a bunch of accounts or come up with a way to do something similar are also exceptionally busy working on splitting everything that needs to be split.

2) I have no idea if this is technically possible. Anyone with knowledge of the underlying system around that can tell us if this is possible?

If 2) is possible, I would volunteer to go through connect.o.o and disable/block/whatever all accounts that are obvious spam.

3) given people are starting to step up and actively work on 3, its quite possible that we will reach a point where connect can be killed, maybe even before we have better access / time to deal with spam accounts. There is potentially not much point in cleaning up connect if it looks likely that we will be able to kill it in the next month or two, as its hardly something that new users are going to find we haven't advertised where it is well for a long time and existing users only ever go there to apply for membership which can now be done via email anyway. Which brings me to a thought bubble of I wonder if we just kill the front end or make it only accessible internally to the hero's or even just remove the dns entries for connect so its only findable for the people who still really need to use it. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Am 26.02.19 um 13:25 schrieb Stefan Seyfried:

Am 26.02.19 um 11:28 schrieb Carlos E. R.:

...

They told me to delete users. Banning is possible but not recommended,

I just found out that banning works perfectly fine.

...

it just puts a notice. I just asked admin about your concern on 1).

All connect.o.o admins (you and me for example :-) will still see the banned account, but normal users will not. Banning has the additional benefit, that it can be undone, in case we judge wrong. Deleting can't be undone AFAICT. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On 2/26/19 2:55 AM, Simon Lees wrote:

3) given people are starting to step up and actively work on 3, its quite possible that we will reach a point where connect can be killed, maybe even before we have better access / time to deal with spam accounts. There is potentially not much point in cleaning up connect if it looks likely that we will be able to kill it in the next month or two, as its hardly something that new users are going to find we haven't advertised where it is well for a long time and existing users only ever go there to apply for membership which can now be done via email anyway. Which brings me to a thought bubble of I wonder if we just kill the front end or make it only accessible internally to the hero's or even just remove the dns entries for connect so its only findable for the people who still really need to use it.

Oh, yes, I agree, mostly. However, in discussions with cboltz, tampakrap, and lcp yesterday, we thought that with some of the proposed solutions, some cleanup would help when porting information to the new system. At any rate, it could not hurt, and it looks to me like Carlos and Stefan are doing a super job. -- -Gerry Makaro openSUSE Member openSUSE Global Moderator openSUSE Contributor YaST Contributor aka Fraser_Bell on the Forums, OBS, IRC, and mail at openSUSE.org Fraser-Bell on Github -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

On 26/02/2019 15.32, Stefan Seyfried wrote:

Am 26.02.19 um 13:25 schrieb Stefan Seyfried:

...

Am 26.02.19 um 11:28 schrieb Carlos E. R.:

...

They told me to delete users. Banning is possible but not recommended,

I just found out that banning works perfectly fine.

...

...

it just puts a notice. I just asked admin about your concern on 1).

All connect.o.o admins (you and me for example :-) will still see the banned account, but normal users will not.

Banning has the additional benefit, that it can be undone, in case we judge wrong. Deleting can't be undone AFAICT.

I noticed today, without login, a user named "Jolie Ville Royal Peninsula Hotel & Resort", but clicking produces nothing, so I suppose he is banned. I login to check. Oh, it disappeared from the page. Searching... yes, the user exists, but banned. It is a pity the name still shows. What a name, what a cheek! Could we put creation of groups or polls by new users on moderation? That would block most new spam. I guess that would mean modification of the platform, coding, so better not touch it. If connect is a platform that was developed for us, I find it amazing. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)

On 01/03/2019 13.26, Stefan Seyfried wrote:

Hi Carlos,

Am 01.03.19 um 10:43 schrieb Carlos E. R.:

...

I noticed today, without login, a user named "Jolie Ville Royal Peninsula Hotel & Resort", but clicking produces nothing, so I suppose he is banned. I login to check. Oh, it disappeared from the page. Searching... yes, the user exists, but banned.

It is a pity the name still shows. What a name, what a cheek!

All we can do here is to change the name (I changed it to "spammer" now :-)), but that's considerable more effort than just clicking "ban", hit "enter" and be done.

oh! I didn't know it was possible.

...

Could we put creation of groups or polls by new users on moderation? That would block most new spam. I guess that would mean modification of the platform, coding, so better not touch it.

If connect is a platform that was developed for us, I find it amazing.

No, it's elgg https://elgg.org/, probably mostly standard with some non-standard config, skin and maybe plugins.

Ah!

But I really would not touch it anymore. I'll just keep an eye on new accounts and ban them once they start spamming. During office hours, their TTL is usually less than 30 minutes ;-), on non-work days, I'll probably just look after it once per day.

Yes, I'm also checking (not that often), but you beat me to it ;-) -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)

Am 01.03.19 um 21:10 schrieb Carlos E. R.:

On 01/03/2019 13.26, Stefan Seyfried wrote:

...

Hi Carlos,

Am 01.03.19 um 10:43 schrieb Carlos E. R.:

...

I noticed today, without login, a user named "Jolie Ville Royal Peninsula Hotel & Resort", but clicking produces nothing, so I suppose he is banned. I login to check. Oh, it disappeared from the page. Searching... yes, the user exists, but banned.

It is a pity the name still shows. What a name, what a cheek!

All we can do here is to change the name (I changed it to "spammer" now :-)), but that's considerable more effort than just clicking "ban", hit "enter" and be done.

oh! I didn't know it was possible.

Actually, after a few days (I doubt they'll come back after their initial spam setup) we can also delete them, if it is obvious spam (there are slight doubts on accounts that only have cyrillic or chinese characters in their description and links, so I'll not delete them to avoid deleting a spammy-looking (to me :-) legitimate account), a few days later. I have done this now to clean up the front page. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org