If you look at the list of users, you will notice that a lot of them are
spambots or spampuppets.  Two problems:

1. it makes functionality like 'Assigned To' harder to use (have to scroll past
all the junk users)
2. the alternate-address feature on their user page gives them a place to link
to their sites, garnering a pagerank boost (took me a while to figure out what
they were after)

We need somebody with access to the db to delete the users.

I see what you mean - eg the funkytimes and glittergrrrls users at http://bugs.darcs.net/user 
  (login required).

We currently allow anonymous email replies, which creates users:

# Let anonymous users access the email interface (note that this implies
# that they will be registered automatically, hence they will need the
# "Create" user Permission below)
# This is disabled by default to stop spam from auto-registering users  
on
# public trackers.
db.security.addPermissionToRole('Anonymous', 'Email Access')

I think we'll sooner or later have to close this. We could try leaving  
it open for a while longer. As I understand it the advantage of having  
it open is you can forward a bug mail to a non-bugs.darcs.net-member  
and they can reply and start interacting with the bug tracker with  
zero hassle. Once we close it I assume they will get some kind of  
bounce requiring web signup.

Re cleanup: I cannot find out how to delete users from the roundup  
docs or list archive. I assume just deleting them in postgres is safe  
enough, but I'll ask around a little more. If anyone knows, please  
reply.

> Re cleanup: I cannot find out how to delete users from the roundup  
> docs or list archive. I assume just deleting them in postgres is safe  
> enough, but I'll ask around a little more. If anyone knows, please  
> reply.

I have confidence the direct DB deletes safe, although they could "mess up" any
tickets that the user has been associated with.

I recall as part of the original migration to the PostgreSQL back-end, I had to
create a couple of "system" users to stand in for one or two legitimate users
that were accidentally deleted. (I cleaned up a lot of invalid/spam data at that
time, if I recall).

The Roundup data model is not standard SQL, it seems like it involves Python
data structures that reference IDs in some text fields in the database.

It can make hard to search for and make some kinds of changes using direct SQL.

But in summary, I think cleaning out spam users via PostgreSQL is possible, it
just needs to be done with care.

    Mark

Thanks Mark, that is helpful. You're right, roundup uses a  
"hyperdatabase" abstraction layer which should be used. The roundup- 
admin tool seems pretty powerful.

I "retired" about 500 obvious spam users (using roundup-admin plus a  
little emacs magic). I'd rather expunge them completely, but hopefully  
this will get them out of sight. Follow up here if you find more.