Hey @codeberg !
Enjoying our new home. All but one of our team that is. Unfortunately you use a CAPTCHA for creating accounts, so you've made it impossible for one of our developers to create an account.

Would you consider removing that please? We don't want a one-off workaround for this user. Lets fix it properly for everyone please. CAPTCHAs are a really bad move from an accessibility standpoint.

We're human, we promise 😉

@codeberg

Ok - this is more serious. Codeberg, you've been away of this for more than a year and have done nothing?!

dragonscave.space/@devinprater

codeberg.org/Codeberg/Communit

You're public funded and based in the EU, so you have a legal requirement to fix this, on top of the moral one.

The goodwill you've had from the #opensource community for #GiveUpGitHub will disappear real fast if you don't.

Just remove the CAPTCHA. They don't work, and are a bad idea even for users with 20/20 vision.

#a11y

Follow

@dentangle

To answer the initial question: these captchas work for 99.9% of our users signing up (actually more), but we are aware that we need to activate a small fraction manually.

We received on some days thousands of automatized spam bot sign-ups, and the captchas have proven as efficient measure (so far). This way they make the load for our moderation team manageable.

There is always room for improvement.

Please consider joining our moderation team, and help with improved measures!

@codeberg Thanks for the response.

Working for 99.9% of users sounds great, but it misses an important point.

These aren't random odds.

It doesn't work for the other 0.1%. Ever.

The *same* 0.1% always have this problem, every day. And you and I and the rest of the 99.9% don't see it, because it works for us 100% of the time.

For the 0.1%, it fails to work 100% of the time, every day on countless sites.

THAT is why they get angry on social media.

So we need to fix that.

#a11y

@dentangle
I'm on your side.

What do you propose regarding bots signing up and flooding the moderation team?

@codeberg

@RyunoKi @dentangle so far our process is to sign up those for whom it does not work, manually

@codeberg @dentangle @RyunoKi .hg What about simple captchas—not the /distinguish objects in images/ or /transcribe distorted text/ nonsense, but /leave this field blank/ or /answer a one-digit four-function question/? Since we're talking percentages, these work well in 99% of cases ;) nearcyan.com/you-probably-dont

@humanetech @moonbolt @codeberg @dentangle @onepict @realaravinth @Gusted

Thanks for the mention!

Accessibility of of utmost importance to mCaptcha. Employing Turing tests to protect websites pass on the burden to the users, which is not only unfair but also makes websites difficult to use for folks with special needs. For this reason, mCaptcha uses a proof-of-work algorithm, which allows one-click validations.

Integration with Gitea is tricky since only the client-side bits are licensed with MIT + APACHE2.0 whereas everything else carries AGPLv3. So to use mCaptcha with Gitea, it has to be loaded as an external service, using the core library from within Gitea itself.

- @realaravinth

@codeberg add this simple check to your registration form and you're golden:

is using our services a privilege [x] or your legal right [ ]?

@codeberg @RyunoKi @dentangle

A social test is quite a good bot detector. *send this link to three existing users so we know you are a human* with a cooldown of a week so you don't get a bot chain.

We had to develop a pile of spam and moderation tech for the Inkscape forum. Happy to compare notes since we rolled our own. Getting mods is about tooling for us.

@doctormo @codeberg @RyunoKi @dentangle I don't really like this, it makes the community invite-only and exclusive on a small scale, and is easily exploited on a larger scale.

@shipp @codeberg @RyunoKi @dentangle no method is perfect. Although the largest weakness is gate keeping, there are other ways of solving that too.

@RyunoKi @codeberg

There are plenty of more accessible options than CAPTCHAs.

Asking the user to add two numbers together works, even for screen readers. Or asking any other question that is easy for a human to answer:

"Does $cityname start with the letter $letter?"

There are CAPTCHAs with audio options. There are lots of other ways to handle this. Be creative!

This is the developer's responsibility, however, not the users. It is part of doing our jobs, and shouldn't be an afterthought

@dentangle
In my first company (about a decade ago) I did some research and figured out that anything that requires JavaScript to run is sufficient, too.

Like preparing a basic math question (1st grade) and passing the operators and operand to the client.
Building the form input with JavaScript and checking presence and result server side.

@codeberg

@RyunoKi @codeberg Yeah, anything like that. Or make the email confirmations require some manual step, rather than a link that a bot can follow.

@noyovo @RyunoKi @codeberg Yes. There have been some discussions on here and on matrix re #a11y since. I'm waiting to see how much of that turns into action.

This isn't a technical issue. Several solutions have been proposed that would take less time to implement than has so far been spent talking. A similar discussion happened over a year ago and went nowhere.

Meantime we still don't have our full team on Codeberg. Hopefully the can be fixed before the end of Accessibility month.

@noyovo @RyunoKi @codeberg Even replacing the CAPTCHA with 5 lines of javascript to implement the "add two numbers" test would be a start.

Would it stop all bots? No.

Would it be as effective at stopping bots as the CAPTCHA? Probably not.

But would it stop enough that it's not really a problem? Quite probably.

It would also immediately allow 100% of vision impaired users access.

A better solution can be implemented later if needed, but that would solve the #a11y problem right now.

@dentangle @noyovo @RyunoKi please send an email to help@codeberg.org to get help for manual sign-up without captcha for your collaborator. No one should be left behind.

Great that you found a tech implementation easy and quick, looking forward to the pull request!

@RyunoKi @codeberg Personally I favour the text based options - they're easy to code and the visual option is the same as the audio one. There's no separate special process. Adding audio CAPTCHAs is more work and I'm not convinced it's a great solution. For a *huge* site where *targeted* spam is a big issue, maybe.

@codeberg @dentangle how hard is it to add this anyway? (honestly asking, not rhetorical - audio will always imply more bandwidth use (though at 1% let alone 0.1% of users at initial account creation it shouldn't mean much!) and i don't know if there are other proprietary licencing issues with what's available)

@codeberg Since others are quite adamant about #captchas, maybe pointing them to the code where the captcha was added might help. From what I understand you're hosting #gitea, so maybe even creating an issue on the gitea repo might help.

I don't write Go, so it won't be me contributing, but at least for others it might be good to know where to start.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!