Recent gitlab account requests...

Hi team, Is there any vetting process for gitlab account requests or do we just grant them to whomever asks for them? —jon

Hi Jon,
Is there any vetting process for gitlab account requests or do we just grant them to whomever asks for them?
Well, I got suspicious by so many requests in short order - (normally we're at a dozen people a year?) and two requests coming in with the same name but different email addresses. My guess is that these are spam(mers). I already asked on IRC about that yesterday. With the new installation, is the old process of asking for a registration link via IRC dead? Would we want it again to cut down on automated (spam) account requests? Ph.

On 3/07/2025 06:39, Philipp Marek wrote:
Hi Jon,
Is there any vetting process for gitlab account requests or do we just grant them to whomever asks for them? Well, I got suspicious by so many requests in short order - (normally we're at a dozen people a year?) and two requests coming in with the same name but different email addresses. My guess is that these are spam(mers).
I already asked on IRC about that yesterday. Most (if not all) of the requests that came in that burst are probably spam, agreed. With the new installation, is the old process of asking for a registration link via IRC dead? Would we want it again to cut down on automated (spam) account requests?
The new installation currently does not support the link-via-IRC method, I imagine that we could reinstate it. Last time we discussed that, there was some concern as to whether link-via-IRC may be "too hard" for legitimate users, given how few people know about/use IRC these days.

Hi Georgiy,
The new installation currently does not support the link-via-IRC method, I imagine that we could reinstate it.
Last time we discussed that, there was some concern as to whether link-via-IRC may be "too hard" for legitimate users, given how few people know about/use IRC these days.
AFAIR we had a link to IRC via web there. I guess anything less obscure is too easy for the bots, especially if there is no media break in there (ie a http based captcha or so). I could imagine having the client solve some challenge, eg. finding some SHA256 HMAC key so that a server generated random token comes up with 24 zero bits in front or so -- perhaps that's too expensive (ie. runs into timeouts) for spammer bots?

Hi Philipp, On 3/07/2025 14:29, Philipp Marek wrote:
Hi Georgiy,
The new installation currently does not support the link-via-IRC method, I imagine that we could reinstate it.
Last time we discussed that, there was some concern as to whether link-via-IRC may be "too hard" for legitimate users, given how few people know about/use IRC these days.
AFAIR we had a link to IRC via web there.
I guess anything less obscure is too easy for the bots, especially if there is no media break in there (ie a http based captcha or so).
I could imagine having the client solve some challenge, eg. finding some SHA256 HMAC key so that a server generated random token comes up with 24 zero bits in front or so -- perhaps that's too expensive (ie. runs into timeouts) for spammer bots?
Currently, GitLab registration is behind a combination of Anubis <https://anubis.techaro.lol/> and reCaptcha. Anubis provides a challenge like the one you described (N zero bits of a hash).

I definitely agree that requiring a link-via-IRC might be too high of a barrier. Even for someone like myself who's used it for decades in the past, but doesn't use it much any longer, it might be a sufficiently high burden as to preclude registration, thereby driving repos toward alternatives. With regard to these recent requests, I did post a response 10 days ago to this /lisp post <https://www.reddit.com/r/lisp/comments/1licq8c/now_that_gitkpeio_is_down_how_does_quicklisp/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button> indicating that hosting the quicklisp library repo in our gitlab might be a good alternative. That made me think perhaps some of the uptick in requests were legitimate. —jon On Thu, Jul 3, 2025 at 8:19 AM Georgiy Tugai <georgiy@tugai.id.au> wrote:
On 3/07/2025 06:39, Philipp Marek wrote:
Hi Jon,
Is there any vetting process for gitlab account requests or do we just grant them to whomever asks for them? Well, I got suspicious by so many requests in short order - (normally we're at a dozen people a year?) and two requests coming in with the same name but different email addresses. My guess is that these are spam(mers).
I already asked on IRC about that yesterday. Most (if not all) of the requests that came in that burst are probably spam, agreed. With the new installation, is the old process of asking for a registration link via IRC dead? Would we want it again to cut down on automated (spam) account requests?
The new installation currently does not support the link-via-IRC method, I imagine that we could reinstate it.
Last time we discussed that, there was some concern as to whether link-via-IRC may be "too hard" for legitimate users, given how few people know about/use IRC these days.
participants (3)
-
Georgiy Tugai
-
Jon Boone
-
Philipp Marek