|
Grex > Coop > #299: Discussion of newuser. | |
|
| Author |
Message |
| 25 new of 85 responses total. |
kentn
|
|
response 21 of 85:
| 
Dec 3 03:12 UTC 2010 |
Looks like /usr/noton/nu doesn't exist so that's why I got that error.
But if the new one is easier to get in place and it works, that might be
better (and more maintainable).
|
rcurl
|
|
response 22 of 85:
|
Dec 3 04:53 UTC 2010 |
Re #13: "What information are you referring to, specifically?"
The info listed in #10. We don't think weneed to do a demographic study
on all newusers.
|
kentn
|
|
response 23 of 85:
|
Dec 3 15:23 UTC 2010 |
Here's what I see we need to do, in order of priority:
1. Get the web newuser working. If that means getting it working
as it did when it was last working, with all the questions and
technical stuff, so be it. Not having it working at all is more of
a harm to us than a complicated new user process.
2. Simplify the web newuser. From what I've seen we should be able to
do this if we have a working web newuser and just use some default
values or no values for options, for the things we're no longer
asking (in the data submitted from the web page). If this is not
the case, speak up.
The "how" (or "how much") to simplify is one of those consensus
questions we get from time to time. Let's give the Board and Staff
and the rest of the users some time to weigh in. Perhaps they see
other issues with any simplification proposal. If we hear nothing
in a reasonable amount of time (e.g. 1 week), I'll assume no one
has an objection. Then let's simplify it and see how it works out.
Let me know if you see issues with this process (such as it's more work
to re-do the web newuser or web page to simplify it than it is to just
take the time to simplify all of it now). We can adjust accordingly.
(I've also e-mailed staff and board with a summary of what we're talking
about in this item).
|
cross
|
|
response 24 of 85:
|
Dec 3 15:51 UTC 2010 |
resp:23 I've got to be honest. I *really* think you're making it too
complicated, and involving too many hands into the pot. Consensus is
great, but Grex is riddled with inaction because people wait and wait
for consensus that never comes. And most of the time, it's for
inconsequential things that people just don't care about. Whether we
ask for somebody's hobbies or not is probably one of those things.
People will debate endlessly about it, but in the end, I really doubt
that anyone here *really* cares.
Web newuser has been broken for several years; if it's down for
another week, the world won't stop turning. Let's just decide what
questions we want to ask and program to that. It'll be less work to
do it all now as a unit than to fix the terrible code that's there now
and then change it down the road.
|
kentn
|
|
response 25 of 85:
|
Dec 3 16:21 UTC 2010 |
I understand your point of view, Dan. Maybe it's time to not try so
hard for a consensus or the involvement of others and just get things
done. From what I've seen, generally, the people who care have little
or no interest in actually making things happen, so I'm tempted to just
say "do it this way" and let the chips fall where they may.
|
slynne
|
|
response 26 of 85:
|
Dec 3 17:36 UTC 2010 |
I am all for getting things done. If I ever make a stink about
something, please feel free to refer me back to this post ;)
|
cross
|
|
response 27 of 85:
|
Dec 3 18:25 UTC 2010 |
resp:25 Thanks, Kent. Don't get me wrong, consensus is good, but it's
also this community's achillies heel.
resp:26 Quick! Someone upload slynne's post to wikileaks!
|
rcurl
|
|
response 28 of 85:
|
Dec 3 21:24 UTC 2010 |
Re #27: "consensus is good, but it's also this community's achillies
heel". No kidding. I won't participate on boards of organizations that
do things by consensus. I'm a "straight up and down vote" person (with
Roberts Rules.....).
|
remmers
|
|
response 29 of 85:
|
Dec 4 21:04 UTC 2010 |
Re resp:20 - "Actually, I think the short term solution is to get the
new one written. The code that's there now is, well, complicated and
confusing and very, very old."
I quite agree. Web newuser is around 2400 lines of C source code, and
the TTY-based newuser around 5700, code that nobody currently active on
Grex had anything to do with writing. Wading through that to fix
problems, when a new TTY newuser is already in place and a new web
newuser shouldn't be far behind, strikes me as not worth the effort.
|
kentn
|
|
response 30 of 85:
|
Dec 4 22:06 UTC 2010 |
Having code that is easier to maintain is a plus, I think. I know from
personal experience that wading through someone else's code can be a
lot of effort depending on how it is written. Sometimes, it's easier
to start from scratch, and faster than trying to fix old code that is
confusing.
|
cross
|
|
response 31 of 85:
|
Dec 5 01:05 UTC 2010 |
resp:29 Agreed.
resp:30 The new newuser needs some cleanup, but overall, I think it's a lot
less crufty than the old newuser.
|
tsty
|
|
response 32 of 85:
|
Dec 9 17:40 UTC 2010 |
re 18 ... uhhhhh....
We need the email address to email the password to the user. Newuser
generates a password and emails it to the user.
let;s not do that .... struturally it;st not a good idea.
keep resh and with the modificatoins./clarifications that validationg is goign
to require email -exchange- with someone staff/board on grex.
i.e.. after crateing an acount (and the laert in newuser that
other-email-addrs is needded for validation) a validationg rqeust can be sent.
sent by the newuwer from (possibly other-email-addrs) or frm grex-email,
whichever.
emaikling passwds makes me puke.
|
kentn
|
|
response 33 of 85:
|
Dec 9 18:04 UTC 2010 |
What's not a good idea about mailing the password? This isn't the
Pentagon or anything. We've talked about an an offsite e-mail address
being more or less required, as in automatically send the user an
e-mail and they can respond and be validated. It also gives us contact
information if there are other issues (including forgotten password).
I suppose we could require the password be changed when they first
log in. Or at least, suggest strongly that they do so in the e-mail
we send.
|
cross
|
|
response 34 of 85:
|
Dec 10 03:06 UTC 2010 |
resp:32 Why?
resp:33 Resh requires the new user to change their password the first
time they login. Actually, it requires them to change whenever there's
a certain file in their home directory.
|
kentn
|
|
response 35 of 85:
|
Dec 10 04:35 UTC 2010 |
Okay, then, sounds like we're in good shape.
|
tsty
|
|
response 36 of 85:
|
Dec 10 06:29 UTC 2010 |
first of all .... about emailing passwdds... whe a newuser cone here she/he/it
creates a passwd.
wtf is wrong with that? notiohing.
second, the balidation is a time dalya, eveninfit is 30 secs.
third. hte eamil to the newuser may ot be read (or it might og iotn some spam
foledre) and be unknown for monthsl. (rt stuff is expeirience as is ... my
emaoil)..
i ahve validated .. well tried to valisdate ... reaped loginds .. which
prompted me ... a wheil aago ... to ask aobut hte reapo preocedure. wheat
i had to send was "well create your loginid AGAIN .. and i wiell validate"
fourth .. a passwd distting around for a whiel is STUPID (imnsho) wheich is
also different from the newuser's orogianl choice .. w t f ?
there is more but the above is enough, i think.
|
cross
|
|
response 37 of 85:
|
Dec 10 12:38 UTC 2010 |
I'm going to address your post point by point. I'm also going to take
the time to fix your spelling errors.
> first of all .... about emailing passwords... when a newuser comes here
> she/he/it creates a passwd.
That's not true anymore; the user isn't even prompted for a password.
Further, there's nothing that says that they *have* to give a password
to newuser.
> wtf is wrong with that? nothing.
Actually, it became a vector for abuse. I have caught specific people
making *thousands* of accounts with scripts. This way, at least we can
track that back to an email address.
Second, by generating the passord and emailing it to the user, at least we
have some sort of useful contact information: if the user logged in at all,
we know we've got an email address for them.
Lots of sites do this: ask for an email address and email an auto-generated
password to the user. It works just fine all over the Internet.
> second, the validation is a time delay, even if it is 30 secs.
What validation are you referring to? The automated validation of the
email address that newuser does? I'd say that in the worst case that
might take half a second.
Or are you talking about how long it takes for the user to get the email
so they can login for the first time? It takes a few seconds. The upsides
are worth it.
> third. the eamil to the newuser may not be read (or it might go into
> some spam folder) and be unknown for months. (rt stuff is experience as
> is ... my email).
It strikes me that if a user is interested in getting an account on Grex,
they won't mind getting an email with their password. Evidence of this is
all over the net; it's more common than not for users to get passwords
emailed to them than otherwise. If they wait for months, well, that's on
them and they weren't likely to be very interested anyway.
What's the difference between a user logging in once automatically at the
end of creating their account and never logging again, and never logging in
because they didn't bother to read the email that we told them they were
going to get?
> i have validated .. well tried to validate ... reaped logins .. which
> prompted me ... a while ago ... to ask about the reap procedure. what
> i had to send was "well create your login id AGAIN .. and i will validate"
I don't know what this has to do with newuser emailing passwords, except
perhaps an extension of the above paragraph about the user not reading his
or her email for months. Newuser is pretty explicit about telling the
user, multiple times, that it's going to send them email. If they choose
to ignore that email, then they're just as likely to login to resh, see
they can't run BNC or upload udp.pl and disappear after one login.
The policies and criteria by which we decide to reap accounts have not
changed for years. If it takes the porters months to do validation, then
that's a real problem.
> fourth .. a password sitting around for a while is STUPID (imnsho)
> which is also different from the new user's original choice .. w t f ?
What do you mean, "is also different from the new user's original choice"?
Do you mean a password that they enter, or a password that they have in
mind when they create an account on Grex? If the former, they don't enter
a password. If the latter, I claim this is actually *easier* on them
since they don't have to sit there and think of one.
To be clear, here's the basic process for getting an account on Grex:
1. Login as newuser and enter your basic information:
a. "Real" name.
b. Email address.
c. desired login name.
d. Currently, a few other questions: address, phone number, interests, etc.
* Note that password is not on this list. *
2. Newuser generates and emails you your password.
3. User gets the password, logs in and is in resh. Resh sees they've
got a special file in their home directory (I believe I named it,
".needspwchange", but I can't remember) and prompts them to change
their password.
That's it. Suppose we go on through the validation process.
4. User goes through the validation process:
a. send email to porters@grex.org with the request,
b. get an email back saying, "How'd you hear about Grex?"
c. user gives some response (really, any response will do),
d. a porter runs "validate user" on Grex, thus changing their
primary group to "people" and changing their shell to
/usr/local/bin/newly-validated (this will move to /cyberspace/bin
soon, though; the path is unimportant).
5. User logs in again (note that they changed their password the first
time they logged into resh; it doesn't change at all during the validation
process). Newly-validated chgrp's their files to the "people" group
and invokes /usr/local/bin/pickashell (again, this needs to move to
/cyberspace/bin, but the path doesn't matter); the user picks what shell
they want to use and away they go.
Now the user has real access to Grex. Supposing that they wanted the
full, unrestricted access, then go through the existing procedures, which
haven't really changed since Grex was created, to get verified: basically,
this means that they send a copy of an ID or a personal check or use
paypal, at which point someone runs "verify user" on them, which changes
their primary group to "verified" (and that's basically it; it also adds
them to "people" as a secondary group).
What I'd like to do, and what board talked about somewhere on the order
of three or four years ago, is add an automated verification system.
Basically, the user types "verify" or something on Grex, gets a URL that
they click on, they pay a couple of bucks or something through PayPal,
PayPal contacts us, we verify the payment and automagically verify them.
> there is more but the above is enough, i think.
No, I'm afraid it is not.
You are making a lot of flimsy assumptions (that the user won't
read their email, or that it will get marked as spam) and predicating
your argument on things that haven't been true for years (that the
user comes to Grex with some idea of what they want their password
to be, probably also that this is some sort of huge security risk).
It isn't 1991 anymore.
I think that what newuser is doing now is actually much better than
the old system:
a. It avoids abuse.
b. It gives us much higher quality contact information (we actually
have an email address that we know works in case the user forgets
his or her password).
c. It makes contacting the user simpler: we can look at newuser's
contact logs to get a user's email address if we want to send them
a message, instead of digging through their personal files (which
TS does regularly in order to find email addresses for validation
purposes).
d. It gives an air of professionalism to Grex that, I claim, will
increase users, not drive them away.
e. It follows well-established and widely used precedent. Indeed,
even on Grex, when we reset someone's password, we just send
them an email.
Does anyone else feel that emailing the password to the new user is
bad?
|
veek
|
|
response 38 of 85:
|
Dec 10 12:53 UTC 2010 |
well.. i'm not clear on one point..
1. we ask for his email and mail him his password, AND put him in resh?
How does he move from resh to bash??
2. we can try to avoid the spam problem by making the content in the
email a little dynamic.. Dear so and so, blah blah and in the Subject:
Grex registration information for account blah.
|
cross
|
|
response 39 of 85:
|
Dec 10 15:09 UTC 2010 |
resp:38 See steps 4 and 5 in resp:37. I really doubt the spam problem
is much of a concern, to be honest.
|
veek
|
|
response 40 of 85:
|
Dec 10 17:18 UTC 2010 |
rofl, so we keep the existing 'validation/validate' process with all
it's bureaucracy and we remove a few questions from newuser but we then
create a "new email process" <g>
(which will suck up more time! with the user having to start a browser
and login to yahoo vs taking a few additional seconds answering
questions in a SSH/telnet session he already has open)
----
I was thinking along the lines of a no "validation/resh process". Just
newuser-with-emailID-request, and password mailed to user and direct
access to bash once he recieves his password :) oh well..
|
nharmon
|
|
response 41 of 85:
|
Dec 10 17:21 UTC 2010 |
Sometimes big reforms require small changes be implemented first, veek.
|
cross
|
|
response 42 of 85:
|
Dec 10 17:31 UTC 2010 |
resp:40 I'm sorry, veek, but you appear to have a very, very
small-system mindset. History has shown that we can't just give
shell access to Grex. It sucks, but there it is. Are you going
to clean up after the Chad's of the world? No. Odds are good that
I'm going to be the one who cleans up the messes. In that context,
I am *so* unconcerned about someone having to take a few extra
*seconds* to check their email to get a password.
If we had a web pages that didn't look like they dated from 1994,
maybe we'd have more users for this to be an issue. But we don't,
and it's not. Let's work on things that are important, like getting
the web pages up to date, and then we can start worrying about this
stuff.
|
tsty
|
|
response 43 of 85:
|
Dec 11 07:16 UTC 2010 |
i;m glad cross is redoing newuser ... miy comment was historical.
the futeur wiell be differnet... and if newuewr creates NO passwed for the
new logins ... doenslt that open the flooldgarttes? charlie woueild object?
|
cross
|
|
response 44 of 85:
|
Dec 11 22:05 UTC 2010 |
resp:43 I don't understand. Newuser *does* create a password for the
user. Who's charlie?
|
jgelinas
|
|
response 45 of 85:
|
Dec 12 13:24 UTC 2010 |
I think you are moving in the right direction, cross. I only wish I
could be more useful in the endeavour.
|