[Catalog-sig] The "Softpedia" spam

Tarek Ziadé ziade.tarek at gmail.com
Thu May 6 17:37:19 CEST 2010

On Thu, May 6, 2010 at 5:18 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> Sorry, perhaps I wasn't clear: when uploading things to PyPI
> you accept the PyPI terms. These terms currently allow anyone
> to take the data from PyPI and publically redistribute it
> without any restrictions.
> I think it's better to only allow the PSF to redistribute data
> that it got from the PyPI package authors.

I am not sure what it means that the PSF redistributes data.  Is this
http://www.python.org/about/legal or another text ?

A list of prohibited usage (combined with authentication) should be
enough to prevent the problem
as far as I understand.

For instance, here's SourceForge's one



   ...using any information obtained from SourceForge.net in order to
contact, advertise to, solicit, or sell to any
   user without such user's prior explicit consent (including
non-commercial contacts like chain letters);

>> What I propose is:
>> - set up authentication for the XML-RPC APIs, in order to control
>> this. If a user starts to use
>>   XML-RPC calls in his bots, it's easy to shut it down.
>> - set up a restricted list of subscribers for the PubSubHubbub
>> protocol (I am not sure if this protocol
>> supports authentication, but I guess we can set something up)
>> - avoid displaying any email or derived emails on anonymous page
> I'm not sure how that would work. Package manager tools would
> then all have to use this authentication mechanism.

Yes but they would need to use an account therefore have an identity
when they run their scripts.

For instance, PyPI can have API calls quota per user, and a white list
of users that are allowed to have
an unlimited number of API calls.  (managed manually)

IOW, allow stuff like cheesecake ratings or whatever, to subscribe,
and be able to block Softpedia.

It's a limited protection but should be enough: I don't think the
Softpedia staff will work on
defeating this by registering hundreds of zombies at PyPI.

But I understand that it also needs the legal part,


Tarek Ziadé | http://ziade.org

More information about the Catalog-SIG mailing list