Need advice pertaining to GSoC proposal

Fri Apr 3 16:12:44 UTC 2009

Debayan Banerjee wrote:
>>>>  Why do you think votes (esp. those by users) and trust are related? I
>>>> guess it's not a _terrible_ hint, but it's surely not a good one either.
>>>>  We don't do Fedora package reviews by having everyone vote, so I don't
>>>> see why we'd want to do the same thing for (expandable) sets of
>>>> packages.
>>> Well downloading and installing packages is something any user does
>>> and hence they have a right to vote for what they liked,
The user has know way of knowing whether their machine is now a botnet 
zombie - we simply can not put them at that risk. Put it this way, even 
one hacked machine is bad for a distribution's reputation.

> No. I think you are being paranoid. Bad packages can be added after
> votes, yes, and it will decrease the rankings of the repository soon.
Firstly, it it not easy to tell that a bad package has been added to a 
repository. Let's say an equivalent of openssh with a back door, and 
capability to send details of username password etc was placed in such a 
third-party repository.

If having even one rooted machine is bad, allowing/requiring "enough" 
rooted machines to know they are rooted, go to a voting page, and begin 
voting against a package / repo would take a long time to achieve 
anything, but in the mean time more and more people are getting the bad 
bits.

Having said that, forcing a positive / negative opinion to be given 
during the process of removing a package could be somewhat interesting 
eg 467 users rated package X 4/10, and kept it installed for an average 
240 days, where it was run an average 5 times per week. Distribution 
curve graphs could be more useful than an individual ranking number.

> Let ISVs, 3rd party developers package stuff and host their own
Of course, its a free world, and few people can stop any third party 
hosting what ever it likes (bad, good, stealth...voting systems).

> repositories. Ofcourse, they may be better than you. Users have the
> right to decide.
For themselves. Not by a group of anonymous someone elses (hey that's 
not a word).

> And you concern about multiple-votes and all that was obviously raised
> before too. Here was my argument:
> 
> " I was advised on the Fedora list by Patrick Barnes to use the voting
> approach. I thought it made sense since it will keep evil people
> (repositories) away
Only one package needs to be evil. And that would destroy the reputation 
of that repo forever, whether it was purposely done by the repo owner, a 
contributor, or via hacking.

> the same way wikipedia protects itself from evil people.
Captcha ? It seems bots are getting close to reliably getting through 
these in like 20% of the time they are shown (see virusbulletin site).

Interested parties on each article reviewing changes, and with the 
capability to delete changes ? So the vote system would have to have an 
admin who would be able to override the votes tracked, and bring the 
counted vote total down or up at will, who do you think should be the 
umpire ?

> Also there may be admins, like me, who shall ban a particular
> repository from the listings if it is found to be a malicious
> repository. If a repo is getting too many good votes unjustly, a lot
> of normal good people will also use it and find it to be crap and vote
> against.
Did you notice Paul Frields follow up email in fedora-announce:
http://forums.fedoraforum.org/showthread.php?p=1193205
See how subtle an evil doer could be; from what I read, it wouldn't have 
taken much more for this intrusion to have been a huge problem for every 
fedora user (eg passwords stolen), and yet no one would have known that 
there are any issues. And this is a site with dedicated staff running a 
large system. The risk has to be higher for smaller repos who may lack 
dedicated staff.

> If a repo is evil, there *will* be several "do not
> recommend" votes to it which will attract attention. "
I think even inter repository or distro rivalries could create voting 
influences. eg what happens to a web site that gets /.'ed, quote a few 
do not survive the increase in traffic that such reference sites cause.

>>> recommending any repository at all. Its the users recommending it to
>>> other users 
And are willing to put their name and email on that recommendation in 
public, then it is their reputation as recommender that is on the line. 
If you summarize it down to a vote by numbers only, anything can be done:
- false vote up a bad repo / package
- false vote down a perfect repo !

Have a look at sourceforge rankings - if you wanted to publicize your 
oss, wouldn't you do anything to enhance your rankings, by understanding 
how they are calculated, and attemping to push your name up the list ?

However, this shouldn't stop you from trying to rephrase the problem, 
step back, and look at the bigger picture, without getting into details 
like voting.

I think it would be worthwhile having an enhancement that stores 
multiple keywords about specific software, so that you can search for 
software like "digital tv viewer usb", or "microsoft word document 
converter" and get a list of well described programs, with pretty icons, 
links to home page, whether the site has an ssl identity and so forth.

It would have to be tricky to have an open source voting system that a 
bad guy couldn't use the source code of to intricately understand how 
they can trick the system.

DaveT.