Codeberg Accessibility #479

Open
opened 1 year ago by fnetX · 32 comments
fnetX commented 1 year ago
Collaborator

In #389 it was reported that text editors were not accessible yet.
Given that such a central piece of the software it not accessible by screen readers (and spell checkers for the matter) yet, it's very likely that there are other UI roadblocks, too.

I'd love to improve this and take the power of Codeberg to move on here. I'm opening this issue to collect open issues that are already identified, discuss new eventual issues and / or talk about asking for an audit of the software.

Also we should talk about QA to make sure that UI changes / framework migrations etc do not introduce new accessibility issues.

Of course this needs a close collaboration to the upstream developers, but first opening here to collect the material necessary and talk about how Codeberg can support this mission.


Edit: Current status

Accessibility for Gitea is an ongoing issues, the most important problems currently

In #389 it was reported that text editors were not accessible yet. Given that such a central piece of the software it not accessible by screen readers (and spell checkers for the matter) yet, it's very likely that there are other UI roadblocks, too. I'd love to improve this and take the power of Codeberg to move on here. I'm opening this issue to collect open issues that are already identified, discuss new eventual issues and / or talk about asking for an audit of the software. Also we should talk about QA to make sure that UI changes / framework migrations etc do not introduce new accessibility issues. Of course this needs a close collaboration to the upstream developers, but first opening here to collect the material necessary and talk about how Codeberg can support this mission. --- ## Edit: Current status Accessibility for Gitea is an ongoing issues, the most important problems currently - comment editor not accessible, WIP upstream https://github.com/go-gitea/gitea/pull/15394 - our captcha is only possible with good eye vision and hard, we need alternatives like audio captcha or honeypots (https://github.com/go-gitea/gitea/issues/11426) - we don't know what else needs improvement and we're looking for someone to audit Gitea
fnetX added the
contribution welcome
gitea-related
labels 1 year ago
Poster
Collaborator

We got a recent bump on Social Media and I'd like to add this to the list of highest priority stuff to be completed ASAP. The issue is, that we don't really know what to do and where are blockers. Funding an external analysis is an option, also hiring developers to fix this, but we can probably only support the fix for one matter this year, and there are competiting highest-priority topics 😕

In an internal issue (not very active), we talked about supporting this: https://github.com/go-gitea/gitea/issues/11426 (honeypots instead of captcha). It would be cool if someone could say if this improves the signup situation.

Also, apart from the even-with-intact-vision-hard-to-solve captcha, there might be more issues in Gitea we are not aware of, and I personally don't really know how to properly audit this.

We got a recent bump on Social Media and I'd like to add this to the list of highest priority stuff to be completed ASAP. The issue is, that we don't really know what to do and where are blockers. Funding an external analysis is an option, also hiring developers to fix this, but we can probably only support the fix for one matter this year, and there are competiting highest-priority topics 😕 In an internal issue (not very active), we talked about supporting this: https://github.com/go-gitea/gitea/issues/11426 (honeypots instead of captcha). It would be cool if someone could say if this improves the signup situation. Also, apart from the even-with-intact-vision-hard-to-solve captcha, there might be more issues in Gitea we are not aware of, and I personally don't really know how to properly audit this.
fnetX added the
bug
label 1 year ago
fnetX added this to the Summer 2021 (obsolete, lol) milestone 1 year ago
Poster
Collaborator

https://github.com/go-gitea/gitea/issues/7057#issuecomment-881230491 some PRs are breaking screen reader support. Looks like we urgently need to step in there. Discussing some possible ways of handling this right now.

We probably need to hire someone to fix the two breaking issues for 1.15 and then someone to do some audit and / or fix some issues. Any idea how to start the search?

Of course close collaboration is necessary, like, there are talks about moving to another UI toolkit etc, maybe we should just use funds to get this milestone in and then continue from there ...

https://github.com/go-gitea/gitea/issues/7057#issuecomment-881230491 some PRs are breaking screen reader support. Looks like we urgently need to step in there. Discussing some possible ways of handling this right now. We probably need to hire someone to fix the two breaking issues for 1.15 and then someone to do some audit and / or fix some issues. Any idea how to start the search? Of course close collaboration is necessary, like, there are talks about moving to another UI toolkit etc, maybe we should just use funds to get this milestone in and then continue from there ...

Hi, I mentioned on Fedi that I would like to step in and help.
I have never worked with Gitea's source and I'm not sure whether Codeberg maintains a fork. Should I try to implement a fix against the fork if there is one?

Hi, I mentioned on Fedi that I would like to step in and help. I have never worked with Gitea's source and I'm not sure whether Codeberg maintains a fork. Should I try to implement a fix against the fork if there is one?
Poster
Collaborator

Hmm, best would be to address the mentioned issues (the PRs) upstream at the Gitea source code: https://github.com/go-gitea/gitea/

Codeberg does maintain a fork at https://codeberg.org/codeberg/gitea, but it is only meant for contributions that don't work upstream (e.g. because they are hacky fixes or tiny changes).

If you don't have a GitHub account, you can maybe still raise your PR here at Codeberg ... you'd have to target the codeberg-1.15 branch then.

If you have any questions or need assistance, please let us know how we can help. Thank you very much!

Hmm, best would be to address the mentioned issues (the PRs) upstream at the Gitea source code: https://github.com/go-gitea/gitea/ Codeberg does maintain a fork at https://codeberg.org/codeberg/gitea, but it is only meant for contributions that don't work upstream (e.g. because they are hacky fixes or tiny changes). If you don't have a GitHub account, you can maybe still raise your PR here at Codeberg ... you'd have to target the codeberg-1.15 branch then. If you have any questions or need assistance, please let us know how we can help. Thank you very much!

@fnetX thank you for the response! I wanted to hack on it now but my changes to the install template are not visible after I do TAGS="bindata sqlite sqlite_unlock_notify" make build, even after I tried to make clean. Is there anything else I need to do?

@fnetX thank you for the response! I wanted to hack on it now but my changes to the install template are not visible after I do `TAGS="bindata sqlite sqlite_unlock_notify" make build`, even after I tried to `make clean`. Is there anything else I need to do?

Ah, sorry, it's actually fine

Ah, sorry, it's actually fine
Poster
Collaborator

@charlag hey, did you make any progress? Is there something we can help with?

@charlag hey, did you make any progress? Is there something we can help with?
Poster
Collaborator

Okay, just read the thread on GitHub, somehow missed the last messages in my email spam. Would you be available for hire, too, just to fix these urgent issues at first? We'd need some warmup to get official contracting correctly, but it might be a good start, if you're interested, too.

Okay, just read the thread on GitHub, somehow missed the last messages in my email spam. Would you be available for hire, too, just to fix these urgent issues at first? We'd need some warmup to get official contracting correctly, but it might be a good start, if you're interested, too.

Hey
I am not available for hire and, unfortunately, I do not have enough of my holidays left to make sure I will be done with it.
As I wrote there the easiest for now is to just replace those dropdowns with <select>. Gitea maintainers want more advanced solution and I recommend contacting Jookia (also on Fediverse) who has quite some experience in it and also implemented the previous dropdown. If nothing works out I can try this out in my free time still.

Hey I am not available for hire and, unfortunately, I do not have enough of my holidays left to make sure I will be done with it. As I wrote there the easiest for now is to just replace those dropdowns with `<select>`. Gitea maintainers want more advanced solution and I recommend contacting [Jookia](https://github.com/Jookia) (also on [Fediverse](https://social.tchncs.de/@jookia)) who has quite some experience in it and also implemented the previous dropdown. If nothing works out I can try this out in my free time still.
fnetX added the
upstream
label 1 year ago
Poster
Collaborator

Re CAPTCHA: We'd love to add an audio captcha to Gitea. Contributions very welcome. Building an own CAPTCHA (to Gitea) has the advantage that people can't use generic scripts.

Other options I have on my notes so far:

Re CAPTCHA: We'd love to add an audio captcha to Gitea. Contributions very welcome. Building an own CAPTCHA (to Gitea) has the advantage that people can't use generic scripts. Other options I have on my notes so far: - FriendlyCaptcha, not sure if it can be self-hosted https://github.com/FriendlyCaptcha - https://captcheck.netsyms.com/ which is btw available on a Gitea too https://source.netsyms.com/Netsyms/Captcheck - maybe we can even collaborate with the developers - continue maintenance of https://visualcaptcha.net - allow users to switch to another captcha service (e.g. offer two), so if the main captcha doesn't work out, they can either email us *or* activate a third-party service if they are fine with it
Poster
Collaborator

Small heads-up regarding the captcha: We are considering building a captcha service ourself. The whole story (idea) can be found here: https://codeberg.org/Codeberg-Infrastructure/CaptchaService

Contribution very welcome. We are probably aiming to do this in a one-weekend hackathon for a proof-of-concept prototype.

Small heads-up regarding the captcha: We are considering building a captcha service ourself. The whole story (idea) can be found here: https://codeberg.org/Codeberg-Infrastructure/CaptchaService Contribution very welcome. We are probably aiming to do this in a one-weekend hackathon for a proof-of-concept prototype.

Any movement on the CAPTCHA issue? We have a dev who cannot create a new account.
https://chaos.social/@dentangle/108652266792247321

Any movement on the CAPTCHA issue? We have a dev who cannot create a new account. https://chaos.social/@dentangle/108652266792247321
Poster
Collaborator

No real progress, we are sorry. We're still asking them to send us an email in the meantime until we find someone to come up with a proper patch.

Just disabling the captcha is not a solution. We tried this several times, and spam was shooting to the moon. The most recent observation was that some simple and custom tweak heavily reduced bot-registrations by doing simple transforms to the captcha text.

So yes, the captcha is very effective, and the solution is to offer an accessible one (e.g. via audio or (as we considered to try) with text-based question-answer). We are a handful of volunteers, and cannot compete with proprietary for-profit platforms that have much more funds than we have.
Regarding Gitea, we often wish they had a different priorization, but it's a do-ocracy in the end (those who do decide what they do). For Codeberg, we're just not finding enough time to get into developing real solutions.

No real progress, we are sorry. We're still asking them to send us an email in the meantime until we find someone to come up with a proper patch. Just disabling the captcha is not a solution. We tried this several times, and spam was shooting to the moon. The most recent observation was that some simple and custom tweak heavily reduced bot-registrations by doing simple transforms to the captcha text. So yes, the captcha is very effective, and the solution is to offer an accessible one (e.g. via audio or (as we considered to try) with text-based question-answer). We are a handful of volunteers, and cannot compete with proprietary for-profit platforms that have much more funds than we have. Regarding Gitea, we often wish they had a different priorization, but it's a do-ocracy in the end (those who do decide what they do). For Codeberg, we're just not finding enough time to get into developing real solutions.

Hi Otto,

Thanks for responding to me. Perhaps you may want to get codeberg.org to make an appeal for help in the Fediverse. As the history in the ticket indicates you don't have the internal experience.

So perhaps it may be the time to make the #a11y #accessibility appeal while you have the momentum.

We've had alot of pain dealing with other code forges accessibility processes. So perhaps this is the chance to create a really community focused process.

Cheers

Esther

Hi Otto, Thanks for responding to me. Perhaps you may want to get codeberg.org to make an appeal for help in the Fediverse. As the history in the ticket indicates you don't have the internal experience. So perhaps it may be the time to make the #a11y #accessibility appeal while you have the momentum. We've had alot of pain dealing with other code forges accessibility processes. So perhaps this is the chance to create a really community focused process. Cheers Esther
Poster
Collaborator

Definitely worth a try given the recent attention. But our overall increase in e.g. followers was not very high, and most recent calls for contributors didn't lead to much attention to be honest.

We also discussed accessibility-related issues with the public in the past. We once refused to update Gitea until a regression with the menues was fixed. My experience is that people are loud to complain, and leave the debate as soon as we ask questions. For example whether honeypots are accessible to screen readers (it might be a good option to try). But from many those many voices who complain, we have to wait long for someone who will add something that actually pushes things forward.

And since there are some users who are sending us some "angry" messages via Social Media right now, and I'm the one who'll read them all in the end, instead of asking for help publicly I'll just not open social media for a day, or two, or for whatever time I see necessary to protect me from shitstorms.
I don't understand why people think they can post whatever to organization accounts, don't they know humans will read it in the end?

Whatever, since both the text-based captcha system and an audio alternative probably require quite some work, the easiest solution might be to try out some simple honeypot patch on Codeberg and see if we can bring this live within a few days. We'll also have to think how we can measure the spam impact, in order to protect our volunteer moderators from spending too much time cleaning up afterwards.

Definitely worth a try given the recent attention. But our overall increase in e.g. followers was not very high, and most recent calls for contributors didn't lead to much attention to be honest. We also discussed accessibility-related issues with the public in the past. We once refused to update Gitea until a regression with the menues was fixed. My experience is that people are loud to complain, and leave the debate as soon as we ask questions. For example whether honeypots are accessible to screen readers (it might be a good option to try). But from many those many voices who complain, we have to wait long for someone who will add something that actually pushes things forward. And since there are some users who are sending us some "angry" messages via Social Media right now, and I'm the one who'll read them all in the end, instead of asking for help publicly I'll just not open social media for a day, or two, or for whatever time I see necessary to protect me from shitstorms. I don't understand why people think they can post whatever to organization accounts, don't they know humans will read it in the end? Whatever, since both the text-based captcha system and an audio alternative probably require quite some work, the easiest solution might be to try out some simple honeypot patch on Codeberg and see if we can bring this live within a few days. We'll also have to think how we can measure the spam impact, in order to protect our volunteer moderators from spending too much time cleaning up afterwards.

So you won't disable the CAPTCHA because it creates a problem for you? So you decided it's more important to pass that problem on to vision impaired users instead.

I suggest the following process:

  1. remove the CAPTCHA
  2. THEN, find an accessible replacement solution

Punting this down the road for years isn't on. We, the Open Source community, are recommending and supporting you. That is subject to change.

If email is your accessible solution, great. Let that be the process for ALL USERS. Asking vision impaired users to overcome additional obstacles isn't acceptable morally or legally.

So you won't disable the CAPTCHA because it creates a problem for *you*? So you decided it's more important to pass that problem on to vision impaired users instead. I suggest the following process: 1) remove the CAPTCHA 2) THEN, find an accessible replacement solution Punting this down the road for years isn't on. We, the Open Source community, are recommending and supporting you. That is subject to change. If email is your accessible solution, great. Let that be the process for ALL USERS. Asking vision impaired users to overcome additional obstacles isn't acceptable morally or legally.

I don't understand why people think they can post whatever to organization accounts, don't they know humans will read it in the end?

Real humans have to deal with the accessibility issues too. Every day. You're just the next broken website in a long day at the end of a long week and that happens every day.

Don't take it personally. Take it seriously.

> I don't understand why people think they can post whatever to organization accounts, don't they know humans will read it in the end? Real humans have to deal with the accessibility issues too. Every day. You're just the next broken website in a long day at the end of a long week and that happens every day. Don't take it personally. Take it seriously.

Perhaps lerntools/base#146 or MintApps/server#3 can be an alternative to Captcha?

Perhaps https://codeberg.org/lerntools/base/issues/146 or https://codeberg.org/MintApps/server/issues/3 can be an alternative to Captcha?

I brought up this issue in the forge federation chat where @realaravinth is member and also creator of mCaptcha. He and @gusted are looking into possible use of this project on the mCaptcha matrix chat.

(Also added this info to the related fedi discussion)

I brought up this issue in the [forge federation chat](https://matrix.to/#/!SakSkZqjzMsaPCVqlv:matrix.batsense.net/$ya8WOS6pIYA8cCUhPhKEg50GfKs1dGul5QWK3MGiai8?via=matrix.org&via=t2bot.io&via=matrix.batsense.net) where @realaravinth is member and also creator of [mCaptcha](https://github.com/mCaptcha/mCaptcha). He and @gusted are looking into possible use of this project on the [mCaptcha matrix chat](https://matrix.to/#/#mCaptcha:matrix.batsense.net). (Also added this info to the related [fedi discussion](https://mastodon.social/@humanetech/108655685245004778))

@onepict wrote:

So perhaps it may be the time to make the #a11y #accessibility appeal while you have the momentum.

We've had alot of pain dealing with other code forges accessibility processes. So perhaps this is the chance to create a really community focused process.

@fnetX wrote:

Definitely worth a try given the recent attention. [..] We also discussed accessibility-related issues with the public in the past.

I have passed a request to the new FossAbility chatroom where there is a community that is really actively looking to bring a11y improvement across the FOSS landscape.

FossAbility was started by @devinprater@devin.masto.host. Other fedizens real active in a11y:

> @onepict wrote: > > _So perhaps it may be the time to make the #a11y #accessibility appeal while you have the momentum._ > > _We've had alot of pain dealing with other code forges accessibility processes. So perhaps this is the chance to create a really community focused process._ > @fnetX wrote: > > _Definitely worth a try given the recent attention. [..] We also discussed accessibility-related issues with the public in the past._ I have passed a request to the new [FossAbility](https://matrix.to/#/!pdWcxVzjjWRkHizUoA:matrix.org/$jYgW_Dr7latfHU6HFavepd34f3ZaazZ9xUxvxVAlB3c?via=libera.chat&via=matrix.org&via=lowerelements.club) chatroom where there is a community that is really actively looking to bring a11y improvement across the FOSS landscape. FossAbility was started by [@devinprater@devin.masto.host](https://devin.masto.host/@devinprater). Other fedizens real active in a11y: - [@blindscribe@writing.exchange](https://writing.exchange/@blindscribe) - [@seirdy@pleroma.envs.net](https://pleroma.envs.net/users/Seirdy)
I also [created a new topic in the Gitea community forum](https://discourse.gitea.io/t/gitea-accessibility-issues-and-call-for-contributors-on-the-fediverse/5500) related to this.
Collaborator

Hi everyone 👋,

I would like to give you a update, that the Codeberg team is looking into alternatives methods to prevent spammers without an non-accessibility captcha and we will discuss it more in-depth in the internal Codeberg meeting.

We're currently leaning into adapting mCaptcha as due to it's design it avoids all accesbility issues and also avoids a cat and mouse game whereby the captcha will require active maintaince. Feel free to give your two cents here about the issue and other possible captcha's.

PS: please keep it on-topic.

Hi everyone 👋, I would like to give you a update, that the Codeberg team is looking into alternatives methods to prevent spammers without an non-accessibility captcha and we will discuss it more in-depth in the internal Codeberg meeting. We're currently leaning into adapting [mCaptcha](https://github.com/mCaptcha/mCaptcha/) as due to it's design it avoids all accesbility issues and also avoids a cat and mouse game whereby the captcha will require active maintaince. Feel free to give your two cents here about the issue and other possible captcha's. *PS: please keep it on-topic.*
Poster
Collaborator

We're scheduling a public meeting tomorrow (Thursday 2022-07-21) at 19.00 CEST (17.00 UTC), probably via a BigBlueButton hosting, to talk about our captcha. We hope to get through the important topics within an hour. I'll
happily share the link here if anyone is interested.

We're scheduling a public meeting tomorrow (Thursday 2022-07-21) at 19.00 CEST (17.00 UTC), probably via a BigBlueButton hosting, to talk about our captcha. We hope to get through the important topics within an hour. I'll happily share the link here if anyone is interested.

@fnetX really appreciated. I sent a toot to thank Codeberg/Gitea and added a link to the meeting call.

@fnetX really appreciated. I sent [a toot](https://mastodon.social/@humanetech/108683748152153409) to thank Codeberg/Gitea and added a link to the meeting call.
Poster
Collaborator

I just created the meeting: https://lecture.senfcall.de/ott-zml-1vs-qcc. Feel free to join us, but the schedule will probably be rather tight.

I just created the meeting: https://lecture.senfcall.de/ott-zml-1vs-qcc. Feel free to join us, but the schedule will probably be rather tight.
Collaborator

Hi everyone 👋,

A big thanks to those that came to the meeting. It was a really great and productive meeting to discuss this issue.

Here is a summary of what happened in the meeting:

  • @realaravinth gave a presentation about what mCaptcha is and how it works. The slides.
  • Concerns were raised about the PoW design. It currently uses SHA256, which can be hardware accelerated so targeted attacks can produce a fast rate of hashes.
    • The variable difficulty factor combats this by increasing the amount of work that the client has to do when increased traffic is detected.
    • Alternatively, mCaptcha could adapt a new algorithm which is specifically designed to not be able to be hardware accelerated (ex. scrypt or argon2d).
  • Other captchas were briefly mentioned, but since there aren't any that have good self-hosting capabilities, they were discarded as a viable option.
  • While it does solve the visual accessibility of the captcha, it will introduce a new possible accessibility issue for those with older hardware. Although computing a hash is typically quick, if you need to do it over and over again, it's possible that older hardware won't be able to find the proof in time. Luckily, the difficulty factors are adjustable, so Codeberg is taking into account that the first few days and weeks will require a lot of monitoring and adjustments to the difficulty factor to fit the use-case of hardware that registering users are using.
  • General improvements were mentioned, like having a visual indicator about how high the difficulty factor is for the frontend.

Overall, the general consensus is that mCaptcha is a better option than the current captcha and Codeberg would like to try it out in production as soon as possible. I will be personally be working on making this happen.

Hi everyone 👋, A big thanks to those that came to the meeting. It was a really great and productive meeting to discuss this issue. Here is a summary of what happened in the meeting: - @realaravinth gave a presentation about what [mCaptcha](https://github.com/mCaptcha/mCaptcha/) is and how it works. [The slides](https://batsense.net/talks/codeberg-introducing-mcaptcha/slides/2022-07-21-codeberg-introducing-mcaptcha.pdf). - Concerns were raised about the PoW design. It currently uses SHA256, which can be hardware accelerated so targeted attacks can produce a fast rate of hashes. - The variable difficulty factor combats this by increasing the amount of work that the client has to do when increased traffic is detected. - Alternatively, mCaptcha could adapt a new algorithm which is specifically designed to not be able to be hardware accelerated (ex. [scrypt](https://en.wikipedia.org/wiki/Scrypt) or [argon2d](https://en.wikipedia.org/wiki/Argon2)). - Other captchas were briefly mentioned, but since there aren't any that have good self-hosting capabilities, they were discarded as a viable option. - While it does solve the visual accessibility of the captcha, it will introduce a new *possible* accessibility issue for those with older hardware. Although computing a hash is typically quick, if you need to do it over and over again, it's possible that older hardware won't be able to find the proof in time. Luckily, the difficulty factors are adjustable, so Codeberg is taking into account that the first few days and weeks will require a lot of monitoring and adjustments to the difficulty factor to fit the use-case of hardware that registering users are using. - General improvements were mentioned, like having a visual indicator about how high the difficulty factor is for the frontend. Overall, the general consensus is that mCaptcha is a better option than the current captcha and Codeberg would like to try it out in production as soon as possible. I will be personally be working on making this happen.
Collaborator

Hello everyone 👋,

I would like to give a small update about this issue. I've made progress towards integrating mCaptcha into Gitea and made a Pull Request for this. Once this is merged we can backport it to Codeberg and enable this captcha.

Hello everyone 👋, I would like to give a small update about this issue. I've made progress towards integrating mCaptcha into Gitea and made a [Pull Request](https://github.com/go-gitea/gitea/pull/20458) for this. Once this is merged we can backport it to Codeberg and enable this captcha.
Collaborator

merged and backported for codeberg: 359d80295e (tested)

merged and backported for codeberg: https://codeberg.org/Codeberg/gitea/commit/359d80295eab7d1cb0ca4c95be1cbdba24a73617 (tested)
Collaborator
next step would be to alter https://codeberg.org/Codeberg-Infrastructure/build-deploy-gitea/src/branch/codeberg-1.17/etc/gitea/conf/app.ini#L101 and deploy it ...
Collaborator

... and we ned a mcaptcha instance

... and we ned a mcaptcha instance
Collaborator

assign me if i should work on it

assign me if i should work on it
Collaborator

Hi everyone 👋,

Another progress update.

We're currently working on setting up an mCaptcha instance in the Codeberg infrastructure, but this has faced some problems. This is due to mCaptcha currently not having any released binaries. This on its own has some problems, which I will be working on with the mCaptcha author(@realaravinth).

Hi everyone 👋, Another progress update. We're currently working on setting up an mCaptcha instance in the Codeberg infrastructure, but this has faced some problems. This is due to mCaptcha currently not having any released binaries. This on its own has some problems, which I will be working on with the mCaptcha author(@realaravinth).
Sign in to join this conversation.
No Assignees
8 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Codeberg/Community#479
Loading…
There is no content yet.