One person - several FAS accounts? (was: bodhi abuse?)

Sun Aug 31 03:29:17 UTC 2008

On Sun, 2008-08-31 at 00:57 +0200, Michael Schwendt wrote:
> On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote:
> 
> > I agree with Michael about 10^10%.
> > 
> > FAS accounts should be only one for each user. If there are needs for
> > having several accounts for one person, these needs should be
> > explained and either the FAS system extended to cover these cases, or
> > special cased by whatever entity (fesco, fab, Fedora infra team?) is
> > authoritative.
> > 
> > Isn't there perhaps already some texting that one needs to click
> > through that has the user sign that he will use only that account?
> > Otherwise could someone add this?
> > 
> > Besides bodhi fake voting this can even be used for fab/fesco fake
> > voting (although it is probably harder to mark several
> > same-person-accounts as packager accounts w/o anyone noticing it)!
> 
> Just for the record and because my original post went to fedora-buildsys-list.
> I've stumbled into suspicious voting activity in bodhi, such as:
> 
>   https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9
>     (pending)
> 
>   +1 acottle - 2008-08-27 22:24:21
>   +1 auscity - 2008-08-27 22:24:46
>   +1 dcottle - 2008-08-27 22:25:11
> 
> There are more like that from those users. They have several things in
> common. Never any comment except for sporadic words (or discussion with
> other voters) from dcottle. Just the +1. Usually at least two of these
> accounts vote in bodhi at the same time (i.e. with a delay of approx. 20
> seconds like above) and always on the same updates for both F9 and F8.
> It is often voted on pending updates, where downloading from koji is
> necessary.
> 
> You can learn in one of dcottle's comments to a kernel update, where users
> use bodhi to chat a bit, that his daily routine is to look for new builds
> "in koji" in the morning hours. And yet it's three accounts that vote at
> the same time on the same updates.
> 
> Of course, I'm paranoid. ;) Of course, this is not the same person
> behind those accounts. One can imagine how they sit next to eachother
> and practise voting in bodhi at the same time several days a week
> for every update they try. :)
> 
> So, ... FAS confirmed that users dcottle and auscity are the same person
> (actually with the email addresses swapped to make the connection even
> more obvious), and acottle shares the surname *and* the domain name in the
> email address.
> 
> After I had mailed the three users and the list, I've received four angry
> replies from the person trying to explain that the multiple votes are done
> because the updates are tested on several machines.  About an hour ago
> I've received a rude reply that mentioned the obvious possibility (or is
> it a threat of what to expect next?) of "registering countless hotmail,
> yahoo or free accounts and commenting all day long" and a pool of 64 IP
> addresses in order to conceal the activity in bodhi.
> 
> 
> It's great that dcottle (David Cottle) has been such an active update
> tester, who's listed somewhere near the top of bodhi's new metrics. Yet,
> spending +3 karma points instead of just one should not be done with three
> accounts. Superhero testers (especially those who really test
> hardware-dependent updates on lots of different hardware) could gain extra
> privileges in bodhi or be marked as VIPs in the future. I'm sure something
> can be done to reward them for their contribution and to aid package
> maintainers in deciding what level of testing an update has seen.
> 
> However, all I see so far is an attempt at raising karma in bodhi in the
> hope that the updates will be pushed to stable sooner. And that is
> foul play IMO.

Yes, This seems like a real problem to me.

Thanks for the heads up.

-sv