Consider not @-linking github username field

[miketaylr]

<sergiu> heya!
karlcow, looks like we have some people who abuses the GitHub handle field: https://github.com/webcompat/web-bugs/issues/24074#issuecomment-454776680
7:58 AM some time ago I got another complaint from a mentioned user, saying that he/she did not log that issue in the first place, and doesn't kno how the github handle ended up in our bug report
8:00 AM did not pay too much attention at the time
8:01 AM 
— sergiu remembered that karl is on STO...
8:02 AM 
<oana> https://github.com/webcompat/web-bugs/issues/23442
8:02 AM this is another one 

webcompat/web-bugs#23442
webcompat/web-bugs#24074

This would be less spammy if we wrote foo instead of @foo.

[softvision-sergiulogigan]

This would be less spammy if we wrote foo instead of @foo.

i think this would not be enough, as we would most probably ping them at triage time...

[softvision-sergiulogigan]

I don't think those GitHub handles are typed randomly. maybe ppl are confusing GH handles with twitter ones?
maybe... we should also all a twitter field?
maybe some validation too on those fields?

[karlcow]

That's not cool if we become a source of spam for users. That was the risk.

webcompat/web-bugs#24074
https://twitter.com/lava
It doesn't seem to be anything related.

webcompat/web-bugs#23442
https://twitter.com/sunny
not related either? maybe?

[softvision-sergiulogigan]

Could we do something like this?

disregard my fierce Paint skills

[karlcow]

Not sure it will deter people doing it.
A couple of cases:

1. mistyping a username
2. goofing around college-humor style
3. intended miscconduct for annoying someone else
4. Just not understanding what this box is for

[karlcow]

Probably people don't understand what this is about?

Paper trail.

1. Issue Excessive permissions required to file a bug using Github #655 about permissions model.
2. We need to make stats about this new feature in a couple of weeks (was it successful, how many abuse?)
3. Kill it because potential abuse.
4. ❤️ let's hope for the best

[karlcow]

An anonymous person complained about the feature. sigh. It doesn't help for having an interesting discussions. Also in #2791

I want to do stats on the feature since we deployed it. And then I guess we can kill it. :)

[karlcow]

To note that the person reporting the issue could do that directly in the bug report. It would be exactly the same in terms of notifications. I wonder if the "reported by" is what makes people uncomfortable.

[jmk]

Hello, hope I'm not interrupting or resurrecting a dead conversation, but I was recently mentioned in a webcompat report that I did not file (web-bugs #27713). Having never heard of webcompat before, I had to do some legwork to figure out of this notification was phishing/spam, evidence of a GitHub account breach, or just a mistake. In the end I think it was an innocent mistake, but that was definitely not obvious to me.

As an outsider, I'd suggest reconsidering this feature. The fact that a bot can tag any GitHub user without verification seems a bit dangerous -- it provides a trivial way to anonymously send arbitrary content to any GitHub user, even if it's somewhat restricted in format. (Of course, this can be done by tagging someone in any comment, but that at least requires a GitHub account.)

The specific phrasing definitely threw me off as well; "reported by @jmk" sounds very authoritative, when in fact, it's based on completely unverified information. At minimum it feels like (anonymous) bug report content should be presented with a little more context.

Hopefully this doesn't come up that often, but it does seem like the kind of thing that might be easier/better to proactively address, rather than wait for it to (potentially) get abused or misused first.

Thanks for listening!

[karlcow]

@jmk Thanks for the comment and the context. If the name was added without linking aka without the @ sign, would that address part of your concerns. It will not generate an automatic notifications at least.

[jmk]

I do think removing the username tag would help. As was mentioned before, the user could still be tagged or contacted during triage -- but at least it would involve a human reaching out, rather than an automated message carrying arbitrary user-submitted content, which mitigates the potential for direct abuse. So that's good!

Another option could be to adopt the language commonly used in email messages to unverified addresses -- something like, "this webcompat bug report was submitted in your name; if you didn't submit this, you can [ignore this message / unsubscribe from thread / some other appropriate action]". Maybe appending something like this to the webcompat-bot reports would help?

[karlcow]

@jmk Super useful feedback. Thanks.

[softvision-sergiulogigan]

Another issue where @jmk was pinged is webcompat/web-bugs#27713

[karlcow]