requiring login to perform Trac actions?

[Tim Graham]

There's been some discussion on ticket #22067 and #django-dev about requiring Trac login to help cut down on spam and generally improve the quality of the discussion.

Claude:  I think that forcing registration would be fine. It adds a small barrier to reporting bugs, but I think it's acceptable, and many projects have already chosen to do so.

me: I'm in favor of requiring registration as well. When I posed this on IRC, Aymeric mentioned: "BDFLs were very attached to the ability to report issues without creating an account." On the other hand, we've seen anonymously reported issues where we respond and don't know if the reporter will ever respond since they won't be notified of our response. There also a fair number of comments and other changes that are accidentally made anonymously which results in some extra noise.

If you believe the "create an account" barrier is a problem, do you think adding something like GitHub auth to Trac would lower the barrier to an acceptable level?

[anubhav joshi]

If you believe the "create an account" barrier is a problem, do you think adding something like GitHub auth to Trac would lower the barrier to an acceptable level?

 I am in favour of this, as while I was going through tickets, I have found many tickets where people have anonymously posted replies and never replied.....

Regards,

Anubhav Joshi

[Russell Keith-Magee]

On Mon, Mar 3, 2014 at 10:17 PM, Tim Graham <timog...@gmail.com> wrote:

There's been some discussion on ticket #22067 and #django-dev about requiring Trac login to help cut down on spam and generally improve the quality of the discussion.

Claude:  I think that forcing registration would be fine. It adds a small barrier to reporting bugs, but I think it's acceptable, and many projects have already chosen to do so.

me: I'm in favor of requiring registration as well. When I posed this on IRC, Aymeric mentioned: "BDFLs were very attached to the ability to report issues without creating an account." On the other hand, we've seen anonymously reported issues where we respond and don't know if the reporter will ever respond since they won't be notified of our response. There also a fair number of comments and other changes that are accidentally made anonymously which results in some extra noise.

I completely agree that the spam is well out of control, and we need to do *something*.

Providing the historical perspective (get off my lawn, you kids! :-) - we didn't enforce registration because we wanted to make sure the barrier to contribution was as low as possible. If someone finds a bug and they work up the courage to lodge a ticket, they don't care about our process - they just want to contribute. Every hoop we make them jump through is one more chance that they'll walk away without providing their feedback. And the feedback of people who are brand new to the project is often the most valuable, because it shows you where the cognitive dissonance lies in your tutorial and documentation.

This was especially true in the early days, when we weren't a huge project. In those days, every new contributor was gold, and to that end, *any* bug report was worthwhile. On top of that, in the early days the bugs that did exist were obvious enough that with a bit of a poke in the general direction, someone else could probably triage them.

This decision was then reinforced by the number of people who had problems with the Trac login process. I don't know if it's because we've got it configured wrong, or if it's just inherently bad (it's been over 8 years since I created my account, so I don't remember my initial experience), but there's been a constant undercurrent of "My trac signup didn't work" messages on django-dev for as long as I can remember.

Of course, new contributors are still gold, and we shouldn't do anything that will discourage contributions, but we have a little more momentum now.

 

If you believe the "create an account" barrier is a problem, do you think adding something like GitHub auth to Trac would lower the barrier to an acceptable level?

This sounds like a reasonable option to me. Any halfway serious potential contributor should have a Github account, and it matches Django's own toolchain. The oAuth process is pretty smooth, so the problem set is down to "users who are genuinely new to software". 

The only other option I can think of would be to do the same thing that we do with Google Groups - the first post for each contributor is held for moderation. Of course, in the Google Groups case, every user is already logged in…

Yours,

Russ Magee %-)

[Marc Tamlyn]

+1 to github oauth and requiring login. Having github auth, especially for new reports is very useful and would help to tie together when people use different names.

Marc

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAJxq848cSSyOMUh21XEQ%3DkwcdLyCQ9nDYPw40mWiHB7J%3DsLZ%2Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Anssi Kääriäinen]

I'd like to have some security against reporting as somebody else. Currently one can report or comment anonymously and mark reporter as core committer. This is too easy to abuse. +1 for requiring login. At least force anonymous reports to be anonymous.

 - Anssi

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMwjO1H9pRBx57Oq-zEEXvKoSEita8CpqDsfaWkounX1VMbC9g%40mail.gmail.com.

[Sam Lai]

On 4 March 2014 10:44, Russell Keith-Magee <rus...@keith-magee.com> wrote:
>> If you believe the "create an account" barrier is a problem, do you think
>> adding something like GitHub auth to Trac would lower the barrier to an
>> acceptable level?
>
>
> This sounds like a reasonable option to me. Any halfway serious potential
> contributor should have a Github account, and it matches Django's own
> toolchain. The oAuth process is pretty smooth, so the problem set is down to
> "users who are genuinely new to software".

I've worked in a few industries where developers have never heard of
git, even if they spend their whole day on a Linux box and are
definitely not 'new to software'. That said, it is possible that the
subset who use Django are probably likely to be familiar with GitHub
given that Django is a web framework. Maybe some explanatory text at
the login screen would mitigate the issue.

Also, will GitHub oAuth actually solve the sporadic login issues?

[Shai Berger]

On Monday 03 March 2014 16:17:13 Tim Graham wrote:
> There's been some discussion on ticket

> #22067<https://code.djangoproject.com/ticket/22067> and #django-dev about

> requiring Trac login to help cut down on spam and generally improve the
> quality of the discussion.
>

+1 for requiring login, given "mitigation" measures.

>
> If you believe the "create an account" barrier is a problem, do you think
> adding something like GitHub auth to Trac would lower the barrier to an
> acceptable level?

not quite -1, but a strong -0 on "blessing" any single oAuth provider. GitHub
is fine, but so are Google, StackExchange, and even the Evil Empires(TM).

Shai.

[Florian Apolloner]

On Tuesday, March 4, 2014 8:39:36 AM UTC+1, Anssi Kääriäinen wrote:

I'd like to have some security against reporting as somebody else. Currently one can report or comment anonymously and mark reporter as core committer. This is too easy to abuse. +1 for requiring login. At least force anonymous reports to be anonymous.

Even with login, you can fake other users in Trac AFAIK.