[tor-project] GitLab rate limiting deployed

[Antoine Beaupré via tor-project <tor-project@xxxxxxxxxxxxxxxxxxxx>]

Today, we have deployed a mechanism to fight the flood of attacks
against our GitLab server. It currently consists of a simple check for
cookie and JavaScript in your web browser, but could be expanded to
cover more complex checks.

For now, if you see a "429 Rate Limited" error page, don't worry, it's
normal: as long as your browser supports JavaScript and cookies, the
page should reload within five seconds and let you go ahead.

You will see the page when opening the page the first time in a new
browser, which includes a fresh Tor Browser session, a "Private Window",
or a disposable browser profile.

If you operate a bot or script that scrapes GitLab, you might hit the
rate limiter as well. We've added exemptions for servers managed by TPA
and certain user agents, so we currently assume this will have minimal
impact on our community.

If this still creates problems for you, feel free to file a new issue
with TPA at:

https://gitlab.torproject.org/tpo/tpa/team/-/issues/new

If you cannot reach GitLab, you can contact us in `#tor-admin` on
`irc.oftc.net` or `#tor-admin:matrix.org` or through email at
torproject-admin@xxxxxxxxxxxxxx.

You read more about this decision in ADR-108:

https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0108-gitlab-cookie-and-javascript-enforcement

Note that this only affects the gitlab.torproject.org site, not GitLab
pages, the container registry or other GitLab components for now. But
similar mechanisms might have to be implemented on those other
services as well if abuse spreads over.

Thanks and have a nice day,

a.

-- 
Antoine Beaupré
torproject.org system administration
_______________________________________________
tor-project mailing list -- tor-project@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-project-leave@xxxxxxxxxxxxxxxxxxxx