Arch wiki is widely used by the entire community, but it is addressed to Arch users and is meant to contain information relevant to Arch.⁽¹⁾ Therefore changes must be tested on actual Arch, which implies that the editor must have one at hand to solve the puzzle.First of all, my problem is with the requirement to verify the user is currently using Arch, as the Arch Wiki is a very popular resource in the greater Linux community as a lot of resources apply to software that is commonly seen on other distributions, for example, I wanted to make a change (which I encountered configuring an Arch system) that was useful to everyone who used systemd, anyone, be it an Ubuntu, Debian, Fedora, etc user may have found on the Arch wiki. While I think (I'm not sure, anyone is welcome to prove me wrong), the little number of users trying to post good faith, however, off topic, non-Arch related content, should be stopped by having their changes undone, and people who are Arch Linux users may still fail the challenge (i.e. using a non-arch system at the time, using an Arch system with an different version of Pacman.)
I truly appreciate the will to help and I am certain other Archers do too. But be aware that providing information that doesn’t work on Arch is counterproductive and causes trouble to people seeking help.
There are some minor exceptions, like housekeeping activities. If one wishes to do that and is open about the situation, help in solving the captcha was always given in #archlinux@Libera. But please note the previous paragraph.
They are never perfect. It is not their purpose to be. They should only *limit* untargeted attacks. Empirical data shows that even the simplest solutions, like “Put number 42 in the next field” are so far effective.However, my second larger problem is that it doesn't seem that it'd be a very good spam prevention mechanism. The CAPTCHA seems to be the same for all users, and changes very infrequently. (pacman version 6.0.1 (according to https://archlinux.org/pacman/#_releases, released in September 2021) and 6.0.2 (according to https://archlinux.org/packages/core/x86_64/pacman/, released in November 2022) were released over a year apart, so any spammer could define the captcha challenge for the Arch Wiki and post spam for many months.
Determined attackers can do anything, short of breaking the laws of physics. The most persistent cases are known to relentlessly continue disruptive activity manually, even constantly obtaining new IP ranges, for over a decade.Determined spammers could even write a system to run the command inside a Arch Linux container and cache it until the challenge does not work.
While desired and whenever possible appreciated, being absolutely perfect is never the goal in security. It is balancing risks and costs. Minimizing adversary’s success rate, done by addressing actually occuring issues.
____ ⁽¹⁾ https://wiki.archlinux.org/title/ArchWiki:About#Goals
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
