On Sat, 30 Aug 2008, Seth Vidal wrote: > On Sun, 2008-08-31 at 00:57 +0200, Michael Schwendt wrote: > > On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote: > > > > > I agree with Michael about 10^10%. > > > > > > FAS accounts should be only one for each user. If there are needs for > > > having several accounts for one person, these needs should be > > > explained and either the FAS system extended to cover these cases, or > > > special cased by whatever entity (fesco, fab, Fedora infra team?) is > > > authoritative. > > > > > > Isn't there perhaps already some texting that one needs to click > > > through that has the user sign that he will use only that account? > > > Otherwise could someone add this? > > > > > > Besides bodhi fake voting this can even be used for fab/fesco fake > > > voting (although it is probably harder to mark several > > > same-person-accounts as packager accounts w/o anyone noticing it)! > > > > Just for the record and because my original post went to fedora-buildsys-list. > > I've stumbled into suspicious voting activity in bodhi, such as: > > > > https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9 > > (pending) > > > > +1 acottle - 2008-08-27 22:24:21 > > +1 auscity - 2008-08-27 22:24:46 > > +1 dcottle - 2008-08-27 22:25:11 > > > > There are more like that from those users. They have several things in > > common. Never any comment except for sporadic words (or discussion with > > other voters) from dcottle. Just the +1. Usually at least two of these > > accounts vote in bodhi at the same time (i.e. with a delay of approx. 20 > > seconds like above) and always on the same updates for both F9 and F8. > > It is often voted on pending updates, where downloading from koji is > > necessary. > > > > You can learn in one of dcottle's comments to a kernel update, where users > > use bodhi to chat a bit, that his daily routine is to look for new builds > > "in koji" in the morning hours. And yet it's three accounts that vote at > > the same time on the same updates. > > > > Of course, I'm paranoid. ;) Of course, this is not the same person > > behind those accounts. One can imagine how they sit next to eachother > > and practise voting in bodhi at the same time several days a week > > for every update they try. :) > > > > So, ... FAS confirmed that users dcottle and auscity are the same person > > (actually with the email addresses swapped to make the connection even > > more obvious), and acottle shares the surname *and* the domain name in the > > email address. > > > > After I had mailed the three users and the list, I've received four angry > > replies from the person trying to explain that the multiple votes are done > > because the updates are tested on several machines. About an hour ago > > I've received a rude reply that mentioned the obvious possibility (or is > > it a threat of what to expect next?) of "registering countless hotmail, > > yahoo or free accounts and commenting all day long" and a pool of 64 IP > > addresses in order to conceal the activity in bodhi. > > > > > > It's great that dcottle (David Cottle) has been such an active update > > tester, who's listed somewhere near the top of bodhi's new metrics. Yet, > > spending +3 karma points instead of just one should not be done with three > > accounts. Superhero testers (especially those who really test > > hardware-dependent updates on lots of different hardware) could gain extra > > privileges in bodhi or be marked as VIPs in the future. I'm sure something > > can be done to reward them for their contribution and to aid package > > maintainers in deciding what level of testing an update has seen. > > > > However, all I see so far is an attempt at raising karma in bodhi in the > > hope that the updates will be pushed to stable sooner. And that is > > foul play IMO. > > Yes, This seems like a real problem to me. > > Thanks for the heads up. > If this becomes a real problem (or if it is already) we can just create a policy against this sort of thing and enforce it on a per complaint basis. -Mike _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
