Tarek Ziadé wrote: > On Thu, May 6, 2010 at 4:50 PM, M.-A. Lemburg <m...@egenix.com> wrote: >> Tarek Ziadé wrote: >>> Hello, >>> >>> The Softpedia website sends an email to everyone that register or >>> uploads something at PyPI. This is clearly a spam and their website >>> don't care about our projects. >>> >>> I am not sure if they use the PubSubHubbub thing, but I was wondering >>> how we could prevent these unsolicited mails. >>> >>> If they use PubSubHubbub, maybe we could set up a black list of >>> subscribers people can manage at their level, >>> if they reconstruct the emails by reading the RSS feed, maybe we >>> should not publish this info (even with the @ transformed into " at >>> "). >> >> Unfortunately, that's what you get when providing APIs to extract >> all the data from PyPI. >> >> Not even the terms on the PyPI service can be used to prevent >> that (something I'll try to change now that I'm on the PSF board >> again). >> >> We should really disallow redistribution of the PyPI meta data >> and uploads without prior written consent from the PSF. > > Well the problem is not about the distribution of the metadata because > for OSS projects, you'll always have your email somewhere in the tarball. > > I am not sure what you want to do at PSF level, but I wouldn't want the PSF to > restrict the usage of my own project info if I upload them at PyPI. PyPI > is just *one* recipient for projects and don't own people data.
Sorry, perhaps I wasn't clear: when uploading things to PyPI you accept the PyPI terms. These terms currently allow anyone to take the data from PyPI and publically redistribute it without any restrictions. I think it's better to only allow the PSF to redistribute data that it got from the PyPI package authors. Redistribution in the form that Softpedia uses to attract visitors and make revenue on the ads they have on their site is not something the PSF would normally tolerate. However, with the current terms, there's nothing the PSF can do about it. As package author, you are, of course, free to upload your packages wherever you want, the PyPI terms only apply to the data that you passed on to the PSF for display. > The problem is about the usage of the APIs PyPI provides : Softpedia > has set up a > automatic process that gets triggered every time something is uploaded. > > So It's all about spam, as usual. If we can control how the APIs are > used, we will defeat this bot. > > What I propose is: > > - set up authentication for the XML-RPC APIs, in order to control > this. If a user starts to use > XML-RPC calls in his bots, it's easy to shut it down. > > - set up a restricted list of subscribers for the PubSubHubbub > protocol (I am not sure if this protocol > supports authentication, but I guess we can set something up) > > - avoid displaying any email or derived emails on anonymous page I'm not sure how that would work. Package manager tools would then all have to use this authentication mechanism. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 06 2010) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig