[Catalog-sig] The "Softpedia" spam

M.-A. Lemburg mal at egenix.com
Thu May 6 17:18:00 CEST 2010

Tarek Ziadé wrote:
> On Thu, May 6, 2010 at 4:50 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>> Tarek Ziadé wrote:
>>> Hello,
>>> The Softpedia website sends an email to everyone that register or
>>> uploads something at PyPI. This is clearly a spam and their website
>>> don't care about our projects.
>>> I am not sure if they use the PubSubHubbub thing, but I was wondering
>>> how we could prevent these unsolicited mails.
>>> If they use PubSubHubbub, maybe we could set up a black list of
>>> subscribers people can manage at their level,
>>> if they reconstruct the emails by reading the RSS feed, maybe we
>>> should not publish this info (even with  the @ transformed into " at
>>> ").
>> Unfortunately, that's what you get when providing APIs to extract
>> all the data from PyPI.
>> Not even the terms on the PyPI service can be used to prevent
>> that (something I'll try to change now that I'm on the PSF board
>> again).
>> We should really disallow redistribution of the PyPI meta data
>> and uploads without prior written consent from the PSF.
> Well the problem is not about the distribution of the metadata because
> for OSS projects, you'll always have your email somewhere in the tarball.
> I am not sure what you want to do at PSF level, but I wouldn't want the PSF to
> restrict the usage of my own project info if I upload them at PyPI. PyPI
> is just *one* recipient for projects and don't own people data.

Sorry, perhaps I wasn't clear: when uploading things to PyPI
you accept the PyPI terms. These terms currently allow anyone
to take the data from PyPI and publically redistribute it
without any restrictions.

I think it's better to only allow the PSF to redistribute data
that it got from the PyPI package authors.

Redistribution in the form that Softpedia uses to attract
visitors and make revenue on the ads they have on their
site is not something the PSF would normally tolerate.

However, with the current terms, there's nothing the PSF
can do about it.

As package author, you are, of course, free to upload your
packages wherever you want, the PyPI terms only apply to the
data that you passed on to the PSF for display.

> The problem is about the usage of the APIs PyPI provides : Softpedia
> has set up a
> automatic process that gets triggered every time something is uploaded.
> So It's all about spam, as usual. If we can control how the APIs are
> used, we will defeat this bot.
> What I propose is:
> - set up authentication for the XML-RPC APIs, in order to control
> this. If a user starts to use
>   XML-RPC calls in his bots, it's easy to shut it down.
> - set up a restricted list of subscribers for the PubSubHubbub
> protocol (I am not sure if this protocol
> supports authentication, but I guess we can set something up)
> - avoid displaying any email or derived emails on anonymous page

I'm not sure how that would work. Package manager tools would
then all have to use this authentication mechanism.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, May 06 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list