for anyone else running a public git forge: how do you handle obvious spam accounts being registered?

getting a bunch of obvious “stupidname123456789” accounts signing up over the past couple days- i suspend them all as they are created, but curious what the approach of other forge admins is.

do you ignore them so long as they’re not causing trouble? do you shoot on sight?

closing registrations is less of an option, btw- this forge is specifically open to facilitate issue/PR submissions without dealing with annoying mirrors.

@ari

When I get around to it, I'll probably set Forgejo's REGISTER_MANUAL_CONFIRM option to true.

@alexia does an unconfirmed account still have the ability to fork/PR and create issues? that’s the minimum criteria for me

@ari an unconfirmed account is effectively disabled, I believe. Just like one that doesn't have its email confirmed yet

@alexia yeah… i’m very much okay with users having to confirm emails first, i just don’t want them to be able to arbitrarily upload their own repos immediately afterwards

@ari perhaps you can set the default number of repos to 0?

I know this is configurable, and I know this can be increased on a per-user basis (and set to -1 to keep the default)

@ari I closed registration, but allowed signin via Codeberg or Github. I had maybe two spam accounts in two years, and people can still file issues & open PRs.

@ari I have the built-in (free software) forgejo CAPTCHA enabled and require email confirmation. Then I just manually clean up all accounts with unconfirmed emails (which is all of the spam accounts) occasionally.

@algernon @ari Consider enabling signin via framagit.org (or some other GitLab CE instance that doesn't require non-free software to register). Forgejo as an oauth2 provider doesn't support scopes yet so by signing in via Codeberg gives the forge you're signing in to full access to your Codeberg account, and I'd rather avoid GitHub.

@noisytoot i opted for hCaptcha in my case- i’m aware forgejo has its own image-based captcha but i wanted something a little stronger

@ari I want to avoid requiring non-free software at all costs, so if it was more of an issue I’d probably use something like sethrawall (SSH-based authentication) or just require manual confirmation