Add report button to popup panel

[KonoromiHimaries]

With filters, the problem is that, if one of the lists it will break down. people turn off adblock on this site.

Nobody submits broken pages to the authors of the lists.

The problem is getting worse, for example, the last incident with the mbank
https://www.wykop.pl/link/4094131/brak-mozliwosci-zalogowania-do-mbanku-z-wlaczonym-ublockiem/

i think you can add a button to report broken site centrally for filters maintainers
example.

[jspenguin2017]

I definitely have that in mind.

[elypter]

if multiple people report a problem then a script can guess which list the problem is in. maybe also add a soft-off button that switches off every filter that is more prone to break something than others.

[jspenguin2017]

Can someone help me investigate how the report button works in AdBlock / ABP / Adguard?
Do they just send you to the forum or it is close to a one-click report? If it's a automated or half-automated, what does it collect?

[jspenguin2017]

Which one is better?

[kah0922]

Definitely the bug. It gives a clearer indication of the intended purpose.

[elypter]

according to abp their report contains this
<report type="false negative"> <window url="https://www.mtbs3d.com/phpBB/viewforum.php?f=*"/> <subscriptions> <subscription id="https://easylist-downloads.adblockplus.org/exceptionrules.txt" version="201801170901" lastDownloadAttempt="-19" lastDownloadSuccess="-19" softExpiration="73967" hardExpiration="172781" downloadStatus="synchronize_ok" disabledFilters="0"/> <subscription id="https://easylist-downloads.adblockplus.org/easylistgermany+easylist.txt" version="201801170900" lastDownloadAttempt="-18" lastDownloadSuccess="-18" softExpiration="95450" hardExpiration="172782" downloadStatus="synchronize_ok" disabledFilters="0"/></subscriptions> <adblock-plus version="3.0.2" locale="de"/> <application name="Firefox" version="57.0.1" vendor="" userAgent="Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:57.0) Gecko/20100101 Firefox/57.0"/> <platform name="Gecko" version="57.0"/> <comment>comment sample</comment> <email>test@example.com</email></report>

so it sends what lists the user has activated. the user only gets asked if its a false positive or a false negative and if he wants to add a comment and an email. this is what the show report button says. i didnt inspect if abp is honest

[elypter]

adguard offers more options like connection with github account, manual selection of filters and version, an option to mark the link as nsfw, a little troubleshooting in the beginning(have you updated your filters and disabled custom filters?) and requires a screenshot. it didnt have an option to show the source of the report. all this is already happening on a webinterface so some information already gets submitted to the server before sending the report.

[elypter]

both send you through several steps to add information. none of them requires captchas. they might only do when you send too many reports.

[elypter]

i think nano adblocker requires a different approach. all these adblockers use a narrow band of filterlists so it is easy for them to decide which list needs fixing. if you use 20 filters in nano and many people do then it will be hard to distinguish which list causes a problem(in the case of a false positive or a broken site). i suggest that nano blocker should give the option to debug the problem by intelligently switching of lists until the problem disappears. it should do this with not tool many steps(not one step for each activated list) to narrow down the problem without too much work. this would not be a 100% hit but rather a hint that it is one of a bunch of filters. but if multiple users report the issue and nano blocker choses different filters to deactivate for each user then you could detect the pattern on the server side

[jspenguin2017]

I'll probably use a rate limiter, it's usually more effective than CAPTCHA.

I don't think I have enough users to run a sophisticated algorithm on server side. So I'll start with a plain simple bug reporter. I can add more logic to deal with known / repeated cases later.

Collecting test data is definitely going to help to narrow the problem down to one filter, although that does require quite a bit of work to implement properly, and 99% of the time just the test link will suffice. The vast majority of users won't add more than 4 or 5 filters than default.

[elypter]

when you chose an issue tracker i suggest to use one that allows to have multiple projects and the possibility to move bugs between them. the idea is that filterlist maintainers could register to the tracker and work together to fix conflicts and to move filters to the list they fit in the best. this also allows to open a bug report even when it is not clear yet which list it should belong to and move it once that has been figured out.

[jspenguin2017]

Do you have a recommendation?
I was thinking of writing my own system because nothing I know gives me features I need (pre-moderation, UA parsing, domain grouping, etc).

[elypter]

not, really. i dont know much more from the systems than you do from reporting a few bugs. there is an overview on wikipedia https://en.wikipedia.org/wiki/Comparison_of_issue-tracking_systems but it doesnt inform you about most of the features. if you cannot find one that has all of the features they might exist as plugins. if they dont, i think it is still easier to write a plugin yourself than to start a whole new system from scratch. for the domain grouping you can maybe use some auto merging functionality if it exists. so the first user to report a domain creates an issue and all following get merged as comments. btw, cant you just send the User Agent as part of the report? the user doesn't have any interest in faking it and if he had he could do anyway. if it is for the rate limiting i think this is better done by the webserver.

[jspenguin2017]

I need a really fast and efficient system to minimize server costs, and it needs to run on Debian, Windows is not acceptable, which rules out .NET, Python, Ruby, Perl, and PHP. Which means the only languages left are: JavaScript, Java, and Go. C and C++ are also OK although I don't think anyone use them to write web apps. Since I probably have to modify it, it needs to be open source and probably in JavaScript.
Any database system is acceptable although MongoDB is preferred.

Looking thought the list, none seems to fit my needs.
I don't think I want to have a full issues tracker, as there isn't a reasonable way for me to handle screenshots. And I can't allow real-time chatting because of all the legal stuff, I would need to approve each comment.

I think I probably have to write my own web app for it.

cant you just send the User Agent as part of the report

That's my plan, although I need the server to parse it in order to sort the reports.

for the rate limiting i think this is better done by the webserver

Well, the bug tracking system is done by the web server as well. I'm not sure what you mean.

[elypter]

Python, Ruby, Perl, and PHP run very well on debian. i find it rather odd using them on windows or use windows for hosting at all. even .NET is possible on linux to some degree with MONO or .NET Core. the other languages are a bit odd except from js in the form of Node.js but i do not see any reason why to limit on any language except from personal preference.

i dont think a decently written issue tracker easily causes performance problems. its a rather low volume application. the choice and configuration of the webserver is more important if at all.

i dont think people having conversations is a huge deal. web forums do exist and they are only about conversation. if its really a big concern then host in a more freedom of speech friendly country.

Well, the bug tracking system is done by the web server as well. I'm not sure what you mean.

there are methods to limit access through the webserver config that block ddos or misuse before it even hits serverside scripting.

[jspenguin2017]

Node.js is 50 times faster than Python, I can't afford running a Python server.
.NET Core can run .NET apps, but not fast. The real .NET runtime is blazing fast on Windows, but my server has 1GB of RAM, so Windows can't even start...

I don't want a tracker that's only good for low volume. It really doesn't matter how well your software is written, if it's in Ruby it WILL be slow beyond reason.

It's not about freedom of speech, it's about when someone post illegal stuff, the responsibility for distributing that illegal material that is on the host.

there are methods to limit access through the webserver config that block ddos or misuse before it even hits serverside scripting.

Example?

[elypter]

really? they are both interpreted languages and you can increase speed a lot with things like cython.
btw how fast does it have to be? more than 10 requests/second?

in most countries the responsibility is not on the host. you are just obliged to delete when being asked to but you can get around this by just not allowing uploads. just let people use an image hoster for screenshots.

Example?

in apache you can do it with mod-security or mod-ratelimit for example and there is also the option of reverse proxies which however cost money but also protect you from ddosing.

[elypter]

maybe you could work together with collinbarrett from https://github.com/collinbarrett/FilterLists in this who if i remember correctly also has ideas to streamline filterlist reporting.

[jspenguin2017]

JavaScript can be interpreted, just like C++ can be interpreted. JavaScript can be compiled to machine code, Python as well, however, the JIT compiler of Python, PyPy, comes close to V8, the JIT compiler of JavaScript, but still fall short by a good chunk.

Apache isn't an option, it's too easy to take down the server with Slowloris, even with mod-security enabled. Also uBO's 2 seconds delay between filter downloads will just take down Apache servers in no time. Thankfully GitHub isn't using that.
I rather have application code to handle rate limiting, I don't want to be installing 50 different extensions. I want to have different rate limits for different part of the web app.

We have a really tight budget, so anything that cost extra money isn't an option. I need something that is blazing fast even on really tight memory (512MB including OS). 10 requests per second is definitely unacceptable, let's start with 10 000 per second per core.

[jspenguin2017]

Currently the server costs $5 per month, which is quite a bit, if Vultr's $2.5 server can handle the new web app, I'll move over.

If I get DDoSed, I'll just turn off my server and wait it out. DDoSing costs lots of money and there isn't a reasonable way for me to defend that, although I need to be resistant to plain DoS.

if i remember correctly also has ideas to streamline filterlist reporting

Ping him over?

[KonoromiHimaries]

Currently the server costs $5 per month, which is quite a bit, if Vultr's $2.5 server can handle the new web app, I'll move over.

@jspenguin2017 maybe C1
https://www.scaleway.com/baremetal-cloud-servers/

[jspenguin2017]

4 ARM Cores... Eh...
Its unfortunate but my server is designed to not scale with CPU core count... Yea that's a bad decision.

From my past experience, 1 true x86 core smokes 4 ARM cores' pants off.

[KonoromiHimaries]

img

[jspenguin2017]

I think most people won't bother running though 8 whole steps. That's not better than asking them to come to GitHub.
I'll have a one-click report with optional additional info, and it's the server's job to guess which report is good and copy it to GitHub.

[jspenguin2017]

Scaleway does look promising in term of bandwidth, although the computing power is kind of bad, 4 ARMv7 cores sounds like a lot but in reality it's nothing. I suspect they'll suspend people who serve massive amount of data out of their datacenters. From quick calculation, you can pump out 50 TB worth of data in the month, there is no way for them to be able to accept that.

Alright, my decision is set, I'll write a new lightweight minimalist reporting end point and get this started. Nothing that exists fits us well.

[KonoromiHimaries]

although the computing power is kind of bad, 4 ARMv7 cores sounds like a lot but in reality it's nothing.

@jspenguin2017 what your think about that 2 x86 64bit Cores
https://www.scaleway.com/virtual-cloud-servers/

[jspenguin2017]

2 cores, but not 2 functional cores, according to reviews.

[sebast889]

I don't know what kind of UI you have in mind but I think adding links to forums.lanik.us and NanoFilters repo will good (and NanoCore if you want people to know where to report bugs about the extension).

[elypter]

creating an account for a single report is too much for most people and i can understand it. i have a dozen accounts on bugtrackers that i just made for a single thing.

[jspenguin2017]

Hum, I still think thumb down button is better...

[jspenguin2017]

Which machine learning library is best for the bug reporting end point? Any recommendation?

[KonoromiHimaries]

Hum, I still think thumb down button is better...

for spam report - yes
for bug report - no

[KonoromiHimaries]

Which machine learning library is best for the bug reporting end point?

choose the one you know best
https://github.com/josephmisiti/awesome-machine-learning

[jspenguin2017]

If I have not mistaken, Adguard's report button is thumb down. It kind of make sense...
It's not quite "bug report" button, more like a "not working" button.

[jspenguin2017]

Different machine learning algorithms definitely will make a huge difference. I'm thinking of starting with a naive logic and train an AI on the side and see how far that goes...
I probably should run more than 1 algorithm as I'm not exactly sure which algorithm would make sense for filter reports.

[jspenguin2017]

OK, how about this:

• When on NanoCore, NanoFilters, NanoDefender (both), or uAssets issues creation page, the bug icon is shown and clicking it will auto-fill the issue (environment, selected filters, etc)
• When on another website, the flag icon is shown and clicking it will open the quick problem reporter

[elypter]

but people should be able to submit more complex information if they want to in the quick reporter too. sometimes problems are only visible under certain conditions.

[jspenguin2017]

Quick reports are handled by a bot (either hard coded logic or machine learning), I will accept more info, although how the bot will handle that is another question. If you want to fill a detailed report, just come to GitHub.

[jspenguin2017]

I feel like the current server design isn't the best, the database handling isn't ideal... I think I should spend the time fixing the misdesign instead of keep building on something that's not scalable. I need to implement proper async and make the database not based on JSON.

I also have some technical difficulties with my other tools. I built them with Electron thinking it is cross platform but apparently they won't work on Ubuntu. There are like 5 bug reports open in their repo since December and no one seems to care. It's too slow anyway so I guess I should start learning Qt.

If anyone has ideas for small but useful features please let me know, it's been a while since last feature release.

[elypter]

i dont know what you use a gui for but i suggest to consider wxwidgets. it is a metatoolkit that renders the application in the native toolkit that the platform offers (gtk on linux but experimental qt support also exists)

[jspenguin2017]

I think I know how to design the bug report server now. I'll go with Adguard's approach and use GitHub issues tracker as the tracking engine.

[jspenguin2017]

As you may already noticed, Nano Defender has a bug report button for some time now, it's just a matter of copy-pasting the code over, but there are a few problems to be sorted out first:

• GeoIP lookup is manual, it needs to be automated (I need to know where the report came from to deal with GeoLock)
• Outdated extension bouncer is not implemented, ideally we want to prevent outdated extensions from sending reports
• Duplicate bouncer is on client side, I think I should make it a downloadable asset (like filters); the server will put all duplicate issues together though, I'm not sure if this will be a problem

[jspenguin2017]

OK, GeoIP system is up now. We should be ready to roll out the report button soon.

Ideally I want to have a front end server to bounce bad reports, and have a back end server to handle the rest. This way, I can code more aggressively on the front end server; if I accidentally coded a vulnerability, the damage would be limited.

[elypter]

an outdated extension should not make the button invisible though. rather trigger an update or ask for it.

[jspenguin2017]

There is no easy way for the extension to know whether it is outdated. If it is outdated, the server will simply reject the report.

[jspenguin2017]

It's almost ready! https://github.com/NanoMeow/IntegrationServer
I still need:

• Admin dashboard
• Aggressively reject invalid url (?)
• Outdated extension bouncer (?)

I think I should have the server simply flag invalid urls but not reject them, when I'm sure it's working properly I can switch on the aggressive rejection mode.

[jspenguin2017]

Let's just ship the beta in both extensions, what can possibly go wrong?

I'll worry about the new report server later.