~sircmpwn/sr.ht-discuss

14 7

builds.sr.ht for paid users only

Details
Message ID
<32e85430-b650-4774-ad14-00688e473c5b@benaaron.dev>
DKIM signature
pass
Download raw message
Hello sr.ht cohorts,

I won't be able to make it to the mumble session this month so I thought 
I'd voice my opinion on this issue here (hope this is the right list). 
I'm fine with making builds a paid only feature. As Drew pointed out in 
the email it's expensive to run and I don't want the devs to have to 
waste their time fighting crypto bots. Blocking off that feature could 
slow adoption a bit, but I think the benefits outweigh the costs. Anyway, 
that's my two cents.

Cheers,
Ben Goldberg
Details
Message ID
<87r1jajzow.fsf@bzg.fr>
In-Reply-To
<32e85430-b650-4774-ad14-00688e473c5b@benaaron.dev> (view parent)
DKIM signature
missing
Download raw message
I won't be able to make it for the mumble session too, I hope I will
one day.

On the future of build.sr.ht, I would suggest to allow free usage for
a limited number of builds and paid usage beyond.

builds.sr.ht is one of the very nice features of sr.ht and being able
to use it for free (in a limited way) is a clear plus, and paying for
more intensive use is perfectly fine.
Details
Message ID
<6e0bfbce-1fd6-c2a4-9756-6c1bad8afc33@pate.house>
In-Reply-To
<87r1jajzow.fsf@bzg.fr> (view parent)
DKIM signature
pass
Download raw message
On 4/16/21 6:23 AM, Bastien wrote:
> On the future of build.sr.ht, I would suggest to allow free usage for
> a limited number of builds and paid usage beyond.

That doesn't do anything to prevent the current abuse.  An abusive actor needs only to create a new account to get more builds.

The abusers presumably already create new accounts in the current arms-race that is causing disruption.
Details
Message ID
<875z0mih6r.fsf@bzg.fr>
In-Reply-To
<6e0bfbce-1fd6-c2a4-9756-6c1bad8afc33@pate.house> (view parent)
DKIM signature
missing
Download raw message
Hi Roger,

Roger Pate <roger@pate.house> writes:

> On 4/16/21 6:23 AM, Bastien wrote:
>> On the future of build.sr.ht, I would suggest to allow free usage for
>> a limited number of builds and paid usage beyond.
>
> That doesn't do anything to prevent the current abuse.  An abusive
> actor needs only to create a new account to get more builds.

I suppose that spam accounts are a problem per se.

Even when the problem is solved, I stand by my proposal of allowing
free usage of builds only for a limited use.
Details
Message ID
<87eefah158.fsf@bzg.fr>
In-Reply-To
<87r1jajzow.fsf@bzg.fr> (view parent)
DKIM signature
missing
Download raw message
> On the future of build.sr.ht, I would suggest to allow free usage for
> a limited number of builds and paid usage beyond.

I've read https://man.sr.ht/billing-faq.md on the limitations of free
accounts so please ignore my previous proposal, which I understand is
not acceptable.
Details
Message ID
<CAPBPRLIDZ90.1PE0H9O7X3DLQ@taiga>
In-Reply-To
<32e85430-b650-4774-ad14-00688e473c5b@benaaron.dev> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
Some notes from the Mumble discussion:

First, this seems like a good idea. Most people are not opposed to
builds becoming paid-only. builds.sr.ht is the most expensive service
for us to provide, and the most ripe for abuse, and requiring payment
for its use makes sense.

It bears re-stating that sourcehut WILL become a paid service in the
future. This is made clear at multiple stages during the signup process,
and every user should understand that they will be expected to pay for
their account in the future.

However, it also bears re-stating that the intention has NEVER been to
price anyone out of the service. Once sr.ht becomes paid-only (in full
or in part), anyone who cannot afford the payments can simply ask for
free service and they will be provided it. If you're worried that you
cannot afford it, then don't worry - you can just explain your
circumstances and you will be given free service.

I'll finally re-state that contributors to your projects are not
expected to pay, and will never be expected to pay. A paid account will
not be required to send patches, file bugs, or participate in
discussions. Payment will only ever be expected of people who host their
projects on sr.ht - not anyone who contributes to those projects.

Okay, with the caveats out of the way, it seems likely that we will make
builds.sr.ht paid. The process will probably look like this:

1. Any new users after $DATE will be required to pay to use
   builds.sr.ht. Users who registered before $DATE will be allowed to
   use it for free for a while longer.
2. Any users who have submitted builds in the past 90 days, and who do
   not have a paid account, will receive notice that they will be
   required to upgrade to paid account within 30 days, or future builds
   will not be accepted.
3. After 30 days, only paid accounts will be able to submit builds.

You won't have to buy build minutes. The same usage you get today will
be covered by any of sr.ht's payment level - you just have to pay
*something*.

No dates for this migration are set yet, and we're still discussing it
internally. Will update the mailing list when the plans are more solid.

Thanks for everyone's input!
Details
Message ID
<1gH27mBdCAgDLXT0_VUvH41iAG7xaHCzMpfNBedpsC8JLyHE-xnMCJODCwxvywD_eRkgwJrJqm9RykicLT5matbwnXYyPcNtF9VtVoSTijM=@pm.me>
In-Reply-To
<CAPBPRLIDZ90.1PE0H9O7X3DLQ@taiga> (view parent)
DKIM signature
pass
Download raw message
Hi

I registered on SH quite a while ago. I'm not currently a paid user
yet, but I intend to be. It's not about any benefits I'm supposed
to get - just really like the idea and think users should support
this kind of projects. I also don't see the need to use the building
service. So my opinion here is completely objective and not geared
towards my own benefit.

The most important thing is a paid service will in no way solve
the cryptocurrency problem. To realize this, you need to understand
how arbitrage works. If I can buy something cheaply and sell it more
expensively, I will do it. For a cryptocurrency arbitrageur, the cost
is energy, hardware, administration. SH with free service reduces
these costs to a minimum. That's why it's attractive to them.

And now let's say a paid service comes along. As long as the cost
of that service is less than what they can gain from cryptocurrency,
they'll keep doing it. To stop them the price will have to be raised
to a level where it is no longer profitable for them. Otherwise,
nothing will change. Such a high price, however, will hit other users
hard. So it will be a very high cost for the whole platform - hitting
own users.

I think the solution would be a reputation based system. Let's say that
for 3-6 months after registration, a new user doesn't have access to
the build service. After this period could apply for it. For the next
3-6 months, however, his activity in the build service would be monitored
for cryptocurrency. This approach should allow for very precise catching
of users who will want to abuse this service. However, their return would
not be possible quickly, once the service was blocked.

But to be clear: I'm OK with paid service. I'm just afraid it won't be
effective against cryptocurrency.

Thx




‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Friday, April 16th, 2021 at 19:28, Drew DeVault <sir@cmpwn.com> wrote:

> Some notes from the Mumble discussion:
>
> First, this seems like a good idea. Most people are not opposed to
>
> builds becoming paid-only. builds.sr.ht is the most expensive service
>
> for us to provide, and the most ripe for abuse, and requiring payment
>
> for its use makes sense.
>
> It bears re-stating that sourcehut WILL become a paid service in the
>
> future. This is made clear at multiple stages during the signup process,
>
> and every user should understand that they will be expected to pay for
>
> their account in the future.
>
> However, it also bears re-stating that the intention has NEVER been to
>
> price anyone out of the service. Once sr.ht becomes paid-only (in full
>
> or in part), anyone who cannot afford the payments can simply ask for
>
> free service and they will be provided it. If you're worried that you
>
> cannot afford it, then don't worry - you can just explain your
>
> circumstances and you will be given free service.
>
> I'll finally re-state that contributors to your projects are not
>
> expected to pay, and will never be expected to pay. A paid account will
>
> not be required to send patches, file bugs, or participate in
>
> discussions. Payment will only ever be expected of people who host their
>
> projects on sr.ht - not anyone who contributes to those projects.
>
> Okay, with the caveats out of the way, it seems likely that we will make
>
> builds.sr.ht paid. The process will probably look like this:
>
> 1.  Any new users after $DATE will be required to pay to use
>
>     builds.sr.ht. Users who registered before $DATE will be allowed to
>
>     use it for free for a while longer.
> 2.  Any users who have submitted builds in the past 90 days, and who do
>
>     not have a paid account, will receive notice that they will be
>
>     required to upgrade to paid account within 30 days, or future builds
>
>     will not be accepted.
> 3.  After 30 days, only paid accounts will be able to submit builds.
>
>     You won't have to buy build minutes. The same usage you get today will
>
>     be covered by any of sr.ht's payment level - you just have to pay
>
>     something.
>
>     No dates for this migration are set yet, and we're still discussing it
>
>     internally. Will update the mailing list when the plans are more solid.
>
>     Thanks for everyone's input!
Details
Message ID
<20210417082708.w4lnwoskfuyzsspb@slate>
In-Reply-To
<1gH27mBdCAgDLXT0_VUvH41iAG7xaHCzMpfNBedpsC8JLyHE-xnMCJODCwxvywD_eRkgwJrJqm9RykicLT5matbwnXYyPcNtF9VtVoSTijM=@pm.me> (view parent)
DKIM signature
pass
Download raw message
On 21-04-17 08:01:32, argante wrote:
> The most important thing is a paid service will in no way solve
> the cryptocurrency problem. To realize this, you need to understand
> how arbitrage works. If I can buy something cheaply and sell it more
> expensively, I will do it. For a cryptocurrency arbitrageur, the cost
> is energy, hardware, administration. SH with free service reduces
> these costs to a minimum. That's why it's attractive to them.

I think that you're overestimating the ammount a cryptocurrency miner
can get from a couple of hours of mining on sr.ht.

I doubt that it's worth it to have your account banned again and again
and having to pay for a new one (I suspect Drew will not revert all
mitigations for finding and removing problematic accounts).

Cheers,
/morc
Details
Message ID
<ZxW-d_lKg3QPJzyYNZLCDtAIsqVX718a7KwIBNiYFa022O2iAHLjL3VvndXXrpbYdC-PApuORH_axdD7dbHySk-zu5sDlq8XCuAS0ZRKCqI=@pm.me>
In-Reply-To
<20210417082708.w4lnwoskfuyzsspb@slate> (view parent)
DKIM signature
pass
Download raw message
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, April 17th, 2021 at 10:27, Marius Orcsik <marius@federated.id> wrote:


> I think that you're overestimating the ammount a cryptocurrency miner
>
> can get from a couple of hours of mining on sr.ht.
>

even your old phone is an asset to them, as long as it generates
a positive margin.

How many developers do you think have actually heard about sr.ht?
1% or less? And how many percent of cryptocurrency miners are aware
that they can mine profits at the cost of sr.ht? What if more people
are aware of it? It's not overestimating.


> I doubt that it's worth it to have your account banned again and again
>
> and having to pay for a new one

This reminds me of the shell accounts from the 90's. They were very popular.
Until people started doing stupid things: cracking, illegal distribution
of software, or pornography. Shell accounts disappeared from the community
very quickly. Now you can get them mainly as a paid service. One of the ways
some free shell accounts survived was through the reputation system.


> (I suspect Drew will not revert all
>
> mitigations for finding and removing problematic accounts).
>
> Cheers,
>
> /morc
Details
Message ID
<87tuo56y7c.fsf@bzg.fr>
In-Reply-To
<CAPBPRLIDZ90.1PE0H9O7X3DLQ@taiga> (view parent)
DKIM signature
missing
Download raw message
"Drew DeVault" <sir@cmpwn.com> writes:

> It bears re-stating that sourcehut WILL become a paid service in the
> future. This is made clear at multiple stages during the signup process,
> and every user should understand that they will be expected to pay for
> their account in the future.

Did you communicate the various scenarios for the future pricing?

Do you plan to have different pricing levels for different service
levels, or just one price for the same level of services for every
paid account?

I plan to pay $5 per month for a "typical hacker" plan but I don't
know if the distinction between amateur/typical/professional will
still stand when sr.ht switches to the paid-only model.
Details
Message ID
<CAPXVHR4I9RM.9XRJ6BBZCH59@taiga>
In-Reply-To
<1gH27mBdCAgDLXT0_VUvH41iAG7xaHCzMpfNBedpsC8JLyHE-xnMCJODCwxvywD_eRkgwJrJqm9RykicLT5matbwnXYyPcNtF9VtVoSTijM=@pm.me> (view parent)
DKIM signature
pass
Download raw message
sr.ht is part of a larger abuse network of cryptocurrency miners. If we
made them pay to use builds.sr.ht, the economics would no longer work
for them. They make significantly less from mining than they would have
to spend on their subscription - and we'll *still* be banning their
accounts, so they'll have to register (and pay for) several accounts per
day.
Details
Message ID
<VT7zXWosUx-FC_IG0FAOAkd-sQ8EVlYT-zQcvq1u3TFxuZSBo1Ps_a0mkmKi3G46VNAb5y76KgAbTPxavIm8Q6dP3cgtKi5Zx2FxqSvH9PM=@pm.me>
In-Reply-To
<CAPXVHR4I9RM.9XRJ6BBZCH59@taiga> (view parent)
DKIM signature
pass
Download raw message
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, April 17th, 2021 at 12:49, Drew DeVault <sir@cmpwn.com> wrote:

> sr.ht is part of a larger abuse network of cryptocurrency miners. If we
>
> made them pay to use builds.sr.ht, the economics would no longer work
>
> for them.

It is correct. However, it may be a problem to determine the price level
at which it will cease to be profitable for them. And I pointed out this
earlier. And I don't think I overestimate this problem. There is always
reality in the end and someone has to pay the bills. I saw that even
large projects are being built. The cost of electricity almost ended
OpenBSD's life.

https://marc.info/?l=openbsd-misc&m=138758456722860&w=2


They make significantly less from mining than they would have
>
> to spend on their subscription - and we'll still be banning their
>
> accounts, so they'll have to register (and pay for) several accounts per
>
> day.

Yes, that would probably increase their risk level :)
jman
Details
Message ID
<87fszpcee5.fsf@nyarlathotep>
In-Reply-To
<1gH27mBdCAgDLXT0_VUvH41iAG7xaHCzMpfNBedpsC8JLyHE-xnMCJODCwxvywD_eRkgwJrJqm9RykicLT5matbwnXYyPcNtF9VtVoSTijM=@pm.me> (view parent)
DKIM signature
pass
Download raw message
argante <argante@pm.me> writes:

> And now let's say a paid service comes along. As long as the cost
> of that service is less than what they can gain from cryptocurrency,
> they'll keep doing it.

Sorry for my perhaps naive question: how do you know? These scammers
jump from service to service when the friction to run their things for
free is not worth their time.
My guess is that their workflow to abuse SaaS CI services is almost
fully scripted.

These scammers (let me emphasize again the word) are *already* in
blatant violation of Sourcehut ToS [1] so my understanding is that the
mandatory payment is a tool to add a level of friction to shoo them away
rather then making their business less cost effective.

[1] https://man.sr.ht/terms.md#permissible-use
Details
Message ID
<CAC_ByvPsXBCTvTzSC1J4Y4EH_UVNyCDV2gchHn9QVmdz=jG=zg@mail.gmail.com>
In-Reply-To
<87fszpcee5.fsf@nyarlathotep> (view parent)
DKIM signature
pass
Download raw message
What if you have a minimum order to unlock the feature, or at least
credit card confirmation. If the user does not cause problems (like
mining) you can refund that purchase, or if you see that someone is
mining you can trigger a purchase, if the purchase does not happen
succesfully you kill all the CI functionality for that account. This
should be added to the ToS to avoid legal problems. If the user
exploits the system this user should be punished in a way that just
creating a new account does not save them.

Em sáb., 17 de abr. de 2021 às 08:58, jman <sr.ht@city17.xyz> escreveu:
>
>
> argante <argante@pm.me> writes:
>
> > And now let's say a paid service comes along. As long as the cost
> > of that service is less than what they can gain from cryptocurrency,
> > they'll keep doing it.
>
> Sorry for my perhaps naive question: how do you know? These scammers
> jump from service to service when the friction to run their things for
> free is not worth their time.
> My guess is that their workflow to abuse SaaS CI services is almost
> fully scripted.
>
> These scammers (let me emphasize again the word) are *already* in
> blatant violation of Sourcehut ToS [1] so my understanding is that the
> mandatory payment is a tool to add a level of friction to shoo them away
> rather then making their business less cost effective.
>
> [1] https://man.sr.ht/terms.md#permissible-use
Details
Message ID
<qboW9MOjwYnWQlFLsZxocSc2eTHz0iU3nMV0VB2du66f2EX7Nq2TI1M1lP5yM5KkzPaBxLzPT7IAmFmfsJe6cxFNzlgJHUdMHMyaUhaB3z0=@pm.me>
In-Reply-To
<87fszpcee5.fsf@nyarlathotep> (view parent)
DKIM signature
pass
Download raw message
https://layerci.com/blog/crypto-miners-are-killing-free-ci/

not only sr.ht
Reply to thread Export thread (mbox)