Quoting David Fifield (2021-12-09 23:45:06)
It would be best to generate a fresh captcha image for each challenge, but if that's not possible, we should increase the number of cached images or regnerate the cache periodically.
Our current mechanism to generate captchas is: https://github.com/isislovecruft/gimp-captcha
Which requires gimp, and might not be fast enough to generate a captcha per request besides not sure how TPA will feel about installing gimp the server. We could consider other options.
I see there are few libraries in go or python for it (will require some investigation to see if they are not way easier to break than gimp ones). Or we could use reCAPTCHA (bridgedb redame says is supported) or hCaptcha, that I guess will produce some doubts about privacy of the users.
There is a conversation about deprecating the captchas (as they are broken in many situations and are hard for many people) and we are setting up a new API[0] that will not have catpchas to see how it goes.
Anyway, I would prefer not to change how we serve captchas until we reimplement moat in rdsys. But we could regenerate the captchas, I don't think anybody has done it since phw did over one year ago. I created an issue to do it: https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/24607#no...
[0] https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/40025