One person - several FAS accounts? (was: bodhi abuse?)

Michael Schwendt bugs.michael at gmx.net
Sat Aug 30 22:57:04 UTC 2008


On Sat, 30 Aug 2008 21:46:58 +0300, Axel Thimm wrote:

> I agree with Michael about 10^10%.
> 
> FAS accounts should be only one for each user. If there are needs for
> having several accounts for one person, these needs should be
> explained and either the FAS system extended to cover these cases, or
> special cased by whatever entity (fesco, fab, Fedora infra team?) is
> authoritative.
> 
> Isn't there perhaps already some texting that one needs to click
> through that has the user sign that he will use only that account?
> Otherwise could someone add this?
> 
> Besides bodhi fake voting this can even be used for fab/fesco fake
> voting (although it is probably harder to mark several
> same-person-accounts as packager accounts w/o anyone noticing it)!

Just for the record and because my original post went to fedora-buildsys-list.
I've stumbled into suspicious voting activity in bodhi, such as:

  https://admin.fedoraproject.org/updates/PackageKit-0.2.4-6.fc9
    (pending)

  +1 acottle - 2008-08-27 22:24:21
  +1 auscity - 2008-08-27 22:24:46
  +1 dcottle - 2008-08-27 22:25:11

There are more like that from those users. They have several things in
common. Never any comment except for sporadic words (or discussion with
other voters) from dcottle. Just the +1. Usually at least two of these
accounts vote in bodhi at the same time (i.e. with a delay of approx. 20
seconds like above) and always on the same updates for both F9 and F8.
It is often voted on pending updates, where downloading from koji is
necessary.

You can learn in one of dcottle's comments to a kernel update, where users
use bodhi to chat a bit, that his daily routine is to look for new builds
"in koji" in the morning hours. And yet it's three accounts that vote at
the same time on the same updates.

Of course, I'm paranoid. ;) Of course, this is not the same person
behind those accounts. One can imagine how they sit next to eachother
and practise voting in bodhi at the same time several days a week
for every update they try. :)

So, ... FAS confirmed that users dcottle and auscity are the same person
(actually with the email addresses swapped to make the connection even
more obvious), and acottle shares the surname *and* the domain name in the
email address.

After I had mailed the three users and the list, I've received four angry
replies from the person trying to explain that the multiple votes are done
because the updates are tested on several machines.  About an hour ago
I've received a rude reply that mentioned the obvious possibility (or is
it a threat of what to expect next?) of "registering countless hotmail,
yahoo or free accounts and commenting all day long" and a pool of 64 IP
addresses in order to conceal the activity in bodhi.


It's great that dcottle (David Cottle) has been such an active update
tester, who's listed somewhere near the top of bodhi's new metrics. Yet,
spending +3 karma points instead of just one should not be done with three
accounts. Superhero testers (especially those who really test
hardware-dependent updates on lots of different hardware) could gain extra
privileges in bodhi or be marked as VIPs in the future. I'm sure something
can be done to reward them for their contribution and to aid package
maintainers in deciding what level of testing an update has seen.

However, all I see so far is an attempt at raising karma in bodhi in the
hope that the updates will be pushed to stable sooner. And that is
foul play IMO.




More information about the fedora-advisory-board mailing list