Re: [Haskell] ANN: Hackage Account Registration Changes

2018-02-22 Thread Geoffrey Huntley 
I feel that this is the wrong direction to take and will add more burden on
people that we shouldn't be adding additional burden to. It's also the
wrong "optics".

I just had a quick squizz at Hackage with a simple PR you'll be able to
remove the incentives for this behaviour.

Add "nofollow" to any links supplied by the user or that are rendered as
part of parsing user input.

https://support.google.com/webmasters/answer/96569?hl=en

The .NET ecosystem recently went through these same notions for the same
reasons - here's the PR

https://github.com/NuGet/NuGetGallery/pull/4841/files

On Fri., 23 Feb. 2018, 10:38 am Matthias Kilian, 
wrote:

> Hi,
>
> On Thu, Feb 22, 2018 at 05:54:33PM -0500, Gershom B wrote:
> > In the meantime, as a short term measure, we have changed new account
> > registration policies on hackage.
> >
> > Users can still register as before, but new users do _not_ have upload
> > rights until they explicitly request them and are granted them by a
> > human being.
> >
> > (This is actually how we had configured hackage to work on initial
> > deployment -- we loosened things up for some years as the extra step
> > seemed unnecessary).
>
> Does this mean that before the todays change, anyone (or anything)
> could register and upload packages without any review and without
> any acknowledgement for trustfulness by another person? Does it
> maen that one can't trust *any* package on hackage.haskell.org at
> least a little bit (based on trust between acknowledging persons
> and reputation) without reviewing the package's source code?
>
> Ciao,
> Kili
> ___
> Haskell mailing list
> Haskell@haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell
>
___
Haskell mailing list
Haskell@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell

Re: [Haskell] ANN: Hackage Account Registration Changes

2018-02-22 Thread Matthias Kilian 
Hi,

On Thu, Feb 22, 2018 at 05:54:33PM -0500, Gershom B wrote:
> In the meantime, as a short term measure, we have changed new account
> registration policies on hackage.
> 
> Users can still register as before, but new users do _not_ have upload
> rights until they explicitly request them and are granted them by a
> human being.
> 
> (This is actually how we had configured hackage to work on initial
> deployment -- we loosened things up for some years as the extra step
> seemed unnecessary).

Does this mean that before the todays change, anyone (or anything)
could register and upload packages without any review and without
any acknowledgement for trustfulness by another person? Does it
maen that one can't trust *any* package on hackage.haskell.org at
least a little bit (based on trust between acknowledging persons
and reputation) without reviewing the package's source code?

Ciao,
Kili
___
Haskell mailing list
Haskell@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell

[Haskell] ANN: Hackage Account Registration Changes

2018-02-22 Thread Gershom B 
As some people have seen, a spammer has started to create accounts on
hackage to upload fake packages, in order to use their
package-descriptions for linkspam. We'll be working to clean-up the
package-index from this spam, and the accounts have been disabled.
Further, we'll need to decide on some long-term changes going forward
to make this sort of abuse more difficult.

In the meantime, as a short term measure, we have changed new account
registration policies on hackage.

Users can still register as before, but new users do _not_ have upload
rights until they explicitly request them and are granted them by a
human being.

(This is actually how we had configured hackage to work on initial
deployment -- we loosened things up for some years as the extra step
seemed unnecessary).

Apologies for the inconvenience, but this seemed the most direct way
to stop the current influx of spam.

Users with existing hackage accounts should encounter no differences
in behavior.

Best,
Gershom
___
Haskell mailing list
Haskell@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell