[Catalog-sig] The "Softpedia" spam

Tres Seaver tseaver at palladion.com
Thu May 6 20:36:06 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

M.-A. Lemburg wrote:
> Tarek Ziadé wrote:
>> On Thu, May 6, 2010 at 5:18 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>> [..]
>>> Sorry, perhaps I wasn't clear: when uploading things to PyPI
>>> you accept the PyPI terms. These terms currently allow anyone
>>> to take the data from PyPI and publically redistribute it
>>> without any restrictions.
>>>
>>> I think it's better to only allow the PSF to redistribute data
>>> that it got from the PyPI package authors.
>> I am not sure what it means that the PSF redistributes data.  Is this
>> http://www.python.org/about/legal or another text ?
> 
> That text needs some care as well, yes. I was referring to this text
> on PyPI:
> 
> http://pypi.python.org/pypi?%3Aaction=register_form
> """
> By registering to upload content to PyPI, I agree and affirmatively acknowledge the following:
> 
>    1. Content is restricted to Python packages and related information only.
>    2. Any content uploaded to PyPI is provided on a non-confidential basis.
>    3. The PSF is free to use or disseminate any content that I upload on an unrestricted basis for
> any purpose. In particular, the PSF and all other users of the web site are granted an irrevocable,
> worldwide, royalty-free, nonexclusive license to reproduce, distribute, transmit, display, perform,
> and publish the content, including in digital form.
>    4. I represent and warrant that I have complied with all government regulations concerning the
> transfer or export of any content I upload to PyPI. In particular, if I am subject to United States
> law, I represent and warrant that I have obtained the proper governmental authorization for the
> export of the content I upload. I further affirm that any content I provide is not intended for use
> by a government end-user as defined in part 772 of the United States Export Administration Regulations.
> """
> 
>> A list of prohibited usage (combined with authentication) should be
>> enough to prevent the problem
>> as far as I understand.
>>
>> For instance, here's SourceForge's one
>>
>> http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#a2.YOURUSEOFSOURCEFORGE.NET
>>
>> Extract:
>>
>>    ...using any information obtained from SourceForge.net in order to
>> contact, advertise to, solicit, or sell to any
>>    user without such user's prior explicit consent (including
>> non-commercial contacts like chain letters);
> 
> Right, we'd need something along those lines.
> 
>> [..]
>>>> What I propose is:
>>>>
>>>> - set up authentication for the XML-RPC APIs, in order to control
>>>> this. If a user starts to use
>>>>   XML-RPC calls in his bots, it's easy to shut it down.
>>>>
>>>> - set up a restricted list of subscribers for the PubSubHubbub
>>>> protocol (I am not sure if this protocol
>>>> supports authentication, but I guess we can set something up)
>>>>
>>>> - avoid displaying any email or derived emails on anonymous page
>>> I'm not sure how that would work. Package manager tools would
>>> then all have to use this authentication mechanism.
>> Yes but they would need to use an account therefore have an identity
>> when they run their scripts.
> 
> Hmm, wouldn't that require all pip users to have PyPI account ?

I *think* PIP uses the "/simple" API (the RESTy one), rather than
XMLRPC.  That is certainly how setuptools / distribute work, anyway.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvjDBAACgkQ+gerLs4ltQ5yCQCfV6Voc2nET6JtMJjDkrP0cPnc
TYwAnRNQDeE8KVBuGuqu8+OpN23oGWuf
=LKnD
-----END PGP SIGNATURE-----



More information about the Catalog-SIG mailing list