It's way to easy to do hit-and-run spamming on Advogato. It's so easy to automate, I'm surprised that the recentlog isn't completely dominated by spam. The reason it didn't happen yet is probably that the spammers are, well, dumb (evidence: they don't understand nofollow), but one can't rely on security through stupidity forever. Here's a very simple suggestion, which I volunteer to implement in case the Advogato community agrees: instead of asking for a password on registration, create a random password and mail it to the user; the user should then be able to change the password when she logs in. A password reminding mechanism already exists.