On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote: > I agree with Michael about 10^10%. > > FAS accounts should be only one for each user. If there are needs for > having several accounts for one person, these needs should be > explained and either the FAS system extended to cover these cases, or > special cased by whatever entity (fesco, fab, Fedora infra team?) is > authoritative. > > Isn't there perhaps already some texting that one needs to click > through that has the user sign that he will use only that account? > Otherwise could someone add this? > > Besides bodhi fake voting this can even be used for fab/fesco fake > voting (although it is probably harder to mark several > same-person-accounts as packager accounts w/o anyone noticing it)! Just for the record and because my original post went to fedora-buildsys-list. I've stumbled into suspicious voting activity in bodhi, such as: https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9 (pending) +1 acottle - 2008-08-27 22:24:21 +1 auscity - 2008-08-27 22:24:46 +1 dcottle - 2008-08-27 22:25:11 There are more like that from those users. They have several things in common. Never any comment except for sporadic words (or discussion with other voters) from dcottle. Just the +1. Usually at least two of these accounts vote in bodhi at the same time (i.e. with a delay of approx. 20 seconds like above) and always on the same updates for both F9 and F8. It is often voted on pending updates, where downloading from koji is necessary. You can learn in one of dcottle's comments to a kernel update, where users use bodhi to chat a bit, that his daily routine is to look for new builds "in koji" in the morning hours. And yet it's three accounts that vote at the same time on the same updates. Of course, I'm paranoid. ;) Of course, this is not the same person behind those accounts. One can imagine how they sit next to eachother and practise voting in bodhi at the same time several days a week for every update they try. :) So, ... FAS confirmed that users dcottle and auscity are the same person (actually with the email addresses swapped to make the connection even more obvious), and acottle shares the surname *and* the domain name in the email address. After I had mailed the three users and the list, I've received four angry replies from the person trying to explain that the multiple votes are done because the updates are tested on several machines. About an hour ago I've received a rude reply that mentioned the obvious possibility (or is it a threat of what to expect next?) of "registering countless hotmail, yahoo or free accounts and commenting all day long" and a pool of 64 IP addresses in order to conceal the activity in bodhi. It's great that dcottle (David Cottle) has been such an active update tester, who's listed somewhere near the top of bodhi's new metrics. Yet, spending +3 karma points instead of just one should not be done with three accounts. Superhero testers (especially those who really test hardware-dependent updates on lots of different hardware) could gain extra privileges in bodhi or be marked as VIPs in the future. I'm sure something can be done to reward them for their contribution and to aid package maintainers in deciding what level of testing an update has seen. However, all I see so far is an attempt at raising karma in bodhi in the hope that the updates will be pushed to stable sooner. And that is foul play IMO. _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
