[Catalog-sig] The "Softpedia" spam
tseaver at palladion.com
Thu May 6 20:36:06 CEST 2010
-----BEGIN PGP SIGNED MESSAGE-----
M.-A. Lemburg wrote:
> Tarek Ziadé wrote:
>> On Thu, May 6, 2010 at 5:18 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>> Sorry, perhaps I wasn't clear: when uploading things to PyPI
>>> you accept the PyPI terms. These terms currently allow anyone
>>> to take the data from PyPI and publically redistribute it
>>> without any restrictions.
>>> I think it's better to only allow the PSF to redistribute data
>>> that it got from the PyPI package authors.
>> I am not sure what it means that the PSF redistributes data. Is this
>> http://www.python.org/about/legal or another text ?
> That text needs some care as well, yes. I was referring to this text
> on PyPI:
> By registering to upload content to PyPI, I agree and affirmatively acknowledge the following:
> 1. Content is restricted to Python packages and related information only.
> 2. Any content uploaded to PyPI is provided on a non-confidential basis.
> 3. The PSF is free to use or disseminate any content that I upload on an unrestricted basis for
> any purpose. In particular, the PSF and all other users of the web site are granted an irrevocable,
> worldwide, royalty-free, nonexclusive license to reproduce, distribute, transmit, display, perform,
> and publish the content, including in digital form.
> 4. I represent and warrant that I have complied with all government regulations concerning the
> transfer or export of any content I upload to PyPI. In particular, if I am subject to United States
> law, I represent and warrant that I have obtained the proper governmental authorization for the
> export of the content I upload. I further affirm that any content I provide is not intended for use
> by a government end-user as defined in part 772 of the United States Export Administration Regulations.
>> A list of prohibited usage (combined with authentication) should be
>> enough to prevent the problem
>> as far as I understand.
>> For instance, here's SourceForge's one
>> ...using any information obtained from SourceForge.net in order to
>> contact, advertise to, solicit, or sell to any
>> user without such user's prior explicit consent (including
>> non-commercial contacts like chain letters);
> Right, we'd need something along those lines.
>>>> What I propose is:
>>>> - set up authentication for the XML-RPC APIs, in order to control
>>>> this. If a user starts to use
>>>> XML-RPC calls in his bots, it's easy to shut it down.
>>>> - set up a restricted list of subscribers for the PubSubHubbub
>>>> protocol (I am not sure if this protocol
>>>> supports authentication, but I guess we can set something up)
>>>> - avoid displaying any email or derived emails on anonymous page
>>> I'm not sure how that would work. Package manager tools would
>>> then all have to use this authentication mechanism.
>> Yes but they would need to use an account therefore have an identity
>> when they run their scripts.
> Hmm, wouldn't that require all pip users to have PyPI account ?
I *think* PIP uses the "/simple" API (the RESTy one), rather than
XMLRPC. That is certainly how setuptools / distribute work, anyway.
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Catalog-SIG