[Catalog-sig] The "Softpedia" spam

M.-A. Lemburg mal at egenix.com
Thu May 6 17:53:36 CEST 2010 

Tarek Ziadé wrote:
> On Thu, May 6, 2010 at 5:18 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> [..]
>> Sorry, perhaps I wasn't clear: when uploading things to PyPI
>> you accept the PyPI terms. These terms currently allow anyone
>> to take the data from PyPI and publically redistribute it
>> without any restrictions.
>>
>> I think it's better to only allow the PSF to redistribute data
>> that it got from the PyPI package authors.
> 
> I am not sure what it means that the PSF redistributes data.  Is this
> http://www.python.org/about/legal or another text ?

That text needs some care as well, yes. I was referring to this text
on PyPI:

http://pypi.python.org/pypi?%3Aaction=register_form
"""
By registering to upload content to PyPI, I agree and affirmatively acknowledge the following:

   1. Content is restricted to Python packages and related information only.
   2. Any content uploaded to PyPI is provided on a non-confidential basis.
   3. The PSF is free to use or disseminate any content that I upload on an unrestricted basis for
any purpose. In particular, the PSF and all other users of the web site are granted an irrevocable,
worldwide, royalty-free, nonexclusive license to reproduce, distribute, transmit, display, perform,
and publish the content, including in digital form.
   4. I represent and warrant that I have complied with all government regulations concerning the
transfer or export of any content I upload to PyPI. In particular, if I am subject to United States
law, I represent and warrant that I have obtained the proper governmental authorization for the
export of the content I upload. I further affirm that any content I provide is not intended for use
by a government end-user as defined in part 772 of the United States Export Administration Regulations.
"""

> A list of prohibited usage (combined with authentication) should be
> enough to prevent the problem
> as far as I understand.
> 
> For instance, here's SourceForge's one
> 
> http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#a2.YOURUSEOFSOURCEFORGE.NET
> 
> Extract:
> 
>    ...using any information obtained from SourceForge.net in order to
> contact, advertise to, solicit, or sell to any
>    user without such user's prior explicit consent (including
> non-commercial contacts like chain letters);

Right, we'd need something along those lines.

> [..]
>>> What I propose is:
>>>
>>> - set up authentication for the XML-RPC APIs, in order to control
>>> this. If a user starts to use
>>>   XML-RPC calls in his bots, it's easy to shut it down.
>>>
>>> - set up a restricted list of subscribers for the PubSubHubbub
>>> protocol (I am not sure if this protocol
>>> supports authentication, but I guess we can set something up)
>>>
>>> - avoid displaying any email or derived emails on anonymous page
>>
>> I'm not sure how that would work. Package manager tools would
>> then all have to use this authentication mechanism.
> 
> Yes but they would need to use an account therefore have an identity
> when they run their scripts.

Hmm, wouldn't that require all pip users to have PyPI account ?

> For instance, PyPI can have API calls quota per user, and a white list
> of users that are allowed to have
> an unlimited number of API calls.  (managed manually)
> 
> IOW, allow stuff like cheesecake ratings or whatever, to subscribe,
> and be able to block Softpedia.
> 
> It's a limited protection but should be enough: I don't think the
> Softpedia staff will work on
> defeating this by registering hundreds of zombies at PyPI.
> 
> But I understand that it also needs the legal part,

I'll work on the legal stuff and leave the technical side
to you :-)

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, May 06 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list