On Sun, 2008-08-31 at 00:57 +0200, Michael Schwendt wrote: > On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote: > > > I agree with Michael about 10^10%. > > > > FAS accounts should be only one for each user. If there are needs for > > having several accounts for one person, these needs should be > > explained and either the FAS system extended to cover these cases, or > > special cased by whatever entity (fesco, fab, Fedora infra team?) is > > authoritative. > > > > Isn't there perhaps already some texting that one needs to click > > through that has the user sign that he will use only that account? > > Otherwise could someone add this? > > > > Besides bodhi fake voting this can even be used for fab/fesco fake > > voting (although it is probably harder to mark several > > same-person-accounts as packager accounts w/o anyone noticing it)! > > Just for the record and because my original post went to fedora-buildsys-list. > I've stumbled into suspicious voting activity in bodhi, such as: > > https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9 > (pending) > > +1 acottle - 2008-08-27 22:24:21 > +1 auscity - 2008-08-27 22:24:46 > +1 dcottle - 2008-08-27 22:25:11 > > There are more like that from those users. They have several things in > common. Never any comment except for sporadic words (or discussion with > other voters) from dcottle. Just the +1. Usually at least two of these > accounts vote in bodhi at the same time (i.e. with a delay of approx. 20 > seconds like above) and always on the same updates for both F9 and F8. > It is often voted on pending updates, where downloading from koji is > necessary. > > You can learn in one of dcottle's comments to a kernel update, where users > use bodhi to chat a bit, that his daily routine is to look for new builds > "in koji" in the morning hours. And yet it's three accounts that vote at > the same time on the same updates. > > Of course, I'm paranoid. ;) Of course, this is not the same person > behind those accounts. One can imagine how they sit next to eachother > and practise voting in bodhi at the same time several days a week > for every update they try. :) > > So, ... FAS confirmed that users dcottle and auscity are the same person > (actually with the email addresses swapped to make the connection even > more obvious), and acottle shares the surname *and* the domain name in the > email address. > > After I had mailed the three users and the list, I've received four angry > replies from the person trying to explain that the multiple votes are done > because the updates are tested on several machines. About an hour ago > I've received a rude reply that mentioned the obvious possibility (or is > it a threat of what to expect next?) of "registering countless hotmail, > yahoo or free accounts and commenting all day long" and a pool of 64 IP > addresses in order to conceal the activity in bodhi. > > > It's great that dcottle (David Cottle) has been such an active update > tester, who's listed somewhere near the top of bodhi's new metrics. Yet, > spending +3 karma points instead of just one should not be done with three > accounts. Superhero testers (especially those who really test > hardware-dependent updates on lots of different hardware) could gain extra > privileges in bodhi or be marked as VIPs in the future. I'm sure something > can be done to reward them for their contribution and to aid package > maintainers in deciding what level of testing an update has seen. > > However, all I see so far is an attempt at raising karma in bodhi in the > hope that the updates will be pushed to stable sooner. And that is > foul play IMO. Yes, This seems like a real problem to me. Thanks for the heads up. -sv _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
