The issue(s) that I see here are that while it seems like this may mitigate malicious or capricious bots it only seems to do so by removing endpoints that benevolent developers may use too. This reeks of security through obscurity and while may not be intentional, feels semi-hostile to positive development practices.
I for one feel that while bots are useful I never understood the need, nor desire, for so many followers. That being said, I realize that I may be in the minority in that feeling. In any case, I believe that removing such an endpoint only changes the scope of where such malicious actors may code for next. In all likelihood, they moved on once they heard this announcement(which no doubt contributed to it's expedient removal without deprecation). Point in fact, I don't think even restricting this/these endpoint(s) behind any form of vetting process should be need, nor required. Will it likely fully mitigate the risk, possibly. But let's speak to the larger issue(s) at hand here: am I likely to have to make my source open source(yes), should that requirement be a fully working code(maybe), how well is the endpoint documented(at the moment it's removed, so null), am I guaranteed that changing my code won't require a revetting of the entire codebase(unsure at this juncture but unlikely), how would the platform benefit from code like this being vetted(it would make bots have a harder time following and unfollowing), are there any potential other solutions(yes, many). One such potential solution is that you could add a follow button to the a user's viewercard(which already is a minimized view and allows `Add Friend`, `Whisper`, and `Gift Sub`). Does this solve the problem of programmatically allowing such a follow/unfollow to occur, kind of, though it does require the user load a web site/browser this allows the platform to make sure the user is logged in via cookies or another means(i.e. Authorization Header)
In summary, I think that a respectful dialog between users(perhaps mostly developers) and the platform's development/admin team seems the most beneficial course at this time. I have outlined, my issues above and attempted to suggest a potential mutually beneficial solution. I am open to constructive criticism and/or comments.
The issue(s) that I see here are that while it seems like this may mitigate malicious or capricious bots it only seems to do so by removing endpoints that benevolent developers may use too. This reeks of security through obscurity and while may not be intentional, feels semi-hostile to positive development practices.
I for one feel that while bots are useful I never understood the need, nor desire, for so many followers. That being said, I realize that I may be in the minority in that feeling. In any case, I believe that removing such an endpoint only changes the scope of where such malicious actors may code for next. In all likelihood, they moved on once they heard this announcement(which no doubt contributed to it's expedient removal without deprecation). Point in fact, I don't think even restricting this/these endpoint(s) behind any form of vetting process should be need, nor required. Will it likely fully mitigate the risk, possibly. But let's speak to the larger issue(s) at hand here: am I likely to have to make my source open source(yes), should that requirement be a fully working code(maybe), how well is the endpoint documented(at the moment it's removed, so null), am I guaranteed that changing my code won't require a revetting of the entire codebase(unsure at this juncture but unlikely), how would the platform benefit from code like this being vetted(it would make bots have a harder time following and unfollowing), are there any potential other solutions(yes, many). One such potential solution is that you could add a follow button to the a user's viewercard(which already is a minimized view and allows `Add Friend`, `Whisper`, and `Gift Sub`). Does this solve the problem of programmatically allowing such a follow/unfollow to occur, kind of, though it does require the user load a web site/browser this allows the platform to make sure the user is logged in via cookies or another means(i.e. Authorization Header)
In summary, I think that a respectful dialog between users(perhaps mostly developers) and the platform's development/admin team seems the most beneficial course at this time. I have outlined, my issues above and attempted to suggest a potential mutually beneficial solution. I am open to constructive criticism and/or comments.