You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@qpid.apache.org by Justin Ross <jr...@apache.org> on 2013/05/24 14:46:22 UTC

Issue collectors

Right now, the experience for users attempting to raise a jira isn't
great.  The "create jira" link fails and asks you to sign up for an
account.  I'd like to consider dropping that requirement.

Jira offers "issue collectors" as a way to provide anonymous issue
reporting.  If you drill down to the "add issue collector" UI in our
instance, you get the following warnings:

    "Issues in this project can be viewed by anonymous users. Issue
collectors allow for issues to be created anonymously. This means your
JIRA instance could be abused by a spammer who can create issues that
are available publicly."

That's a good point.  I think it's worth trying, and we can disable it
if spam becomes a problem.  (And I wonder if there's a captcha
somewhere in there.)

    "If your JIRA instance is not accessible via the public internet
feel free to ignore this message. Otherwise it is recommended that you
update this project's permissions such that anonymous users are not
allowed to browse issues."

What do you think they mean by the "otherwise, disable anonymous
browsing" part?  Initially this didn't make sense to me.  Now I figure
this is meant for private orgs with a jira instance on the public
internet, which wouldn't apply to us.

Justin

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: Issue collectors

Posted by Justin Ross <ju...@gmail.com>.

For the record, I'm going to move ahead with adding the issue
collector.  We can disable it again if it proves to be a problem.

Justin

On Fri, May 24, 2013 at 11:25 AM, Andrew Stitcher <as...@redhat.com> wrote:
> On Fri, 2013-05-24 at 08:46 -0400, Justin Ross wrote:
>> ...
>>     "If your JIRA instance is not accessible via the public internet
>> feel free to ignore this message. Otherwise it is recommended that you
>> update this project's permissions such that anonymous users are not
>> allowed to browse issues."
>>
>> What do you think they mean by the "otherwise, disable anonymous
>> browsing" part?  Initially this didn't make sense to me.  Now I figure
>> this is meant for private orgs with a jira instance on the public
>> internet, which wouldn't apply to us.
>>
>
> I think what they're talking about here is the motivation for blog spam
> - search engine "optimisation". So if a spammer can post a bug, and it
> is anonymously available on the internet then it can be found by search
> engines and push whatever URL they are trying to drive traffic to.
>
> Or at least this is my understanding of why spammers try to post links
> to blogs etc. So if the url isn't publicly available then there is no
> point in the posting in the first place from their pov.
>
> In this vein it might make sense to not allow anonymously posted bugs to
> be available anonymously.
>
> Anyone have any other understanding(s)?
>
> Andrew
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
> For additional commands, e-mail: dev-help@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

Re: Issue collectors

Posted by Andrew Stitcher <as...@redhat.com>.

On Fri, 2013-05-24 at 08:46 -0400, Justin Ross wrote:
> ...
>     "If your JIRA instance is not accessible via the public internet
> feel free to ignore this message. Otherwise it is recommended that you
> update this project's permissions such that anonymous users are not
> allowed to browse issues."
> 
> What do you think they mean by the "otherwise, disable anonymous
> browsing" part?  Initially this didn't make sense to me.  Now I figure
> this is meant for private orgs with a jira instance on the public
> internet, which wouldn't apply to us.
> 

I think what they're talking about here is the motivation for blog spam
- search engine "optimisation". So if a spammer can post a bug, and it
is anonymously available on the internet then it can be found by search
engines and push whatever URL they are trying to drive traffic to.

Or at least this is my understanding of why spammers try to post links
to blogs etc. So if the url isn't publicly available then there is no
point in the posting in the first place from their pov.

In this vein it might make sense to not allow anonymously posted bugs to
be available anonymously.

Anyone have any other understanding(s)?

Andrew



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org