[Haskell-cafe] [Haskell] ANN: Hackage Account Registration Changes

Gershom B gershomb at gmail.com
Fri Feb 23 00:53:19 UTC 2018

(Replying just on -cafe. The other cc's shouldn't be included in the
follow-on discussion to this announcement).

A PR to augment links with nofollow tags would be welcome. Note that
for completeness this would have to be done in the markdown engine,
the package-description rendering engine, _and_ the haddock
generation, which are three distinct codepaths.

That said, I think that does not suffice, as I do not think the intent
of the spam is _just_ to perform search engine optimization.

And further, I have seen other cases as well where people are
undeterred by SEO-prevention measures. For example, we require manual
approval of wiki.haskell.org accounts despite the addition of nofollow
tags, as those did not deter spammers in that case.

The current policy is not a "direction" we are taking -- it is an
interim measure until a better fix can be put in place. There is some
discussion of what a "better fix" might look like on an issue on
hackage-server: https://github.com/haskell/hackage-server/issues/685


On Thu, Feb 22, 2018 at 7:26 PM, Geoffrey Huntley <ghuntley at ghuntley.com> wrote:
> I feel that this is the wrong direction to take and will add more burden on
> people that we shouldn't be adding additional burden to. It's also the wrong
> "optics".
> I just had a quick squizz at Hackage with a simple PR you'll be able to
> remove the incentives for this behaviour.
> Add "nofollow" to any links supplied by the user or that are rendered as
> part of parsing user input.
> https://support.google.com/webmasters/answer/96569?hl=en
> The .NET ecosystem recently went through these same notions for the same
> reasons - here's the PR
> https://github.com/NuGet/NuGetGallery/pull/4841/files
> On Fri., 23 Feb. 2018, 10:38 am Matthias Kilian, <kili at outback.escape.de>
> wrote:
>> Hi,
>> On Thu, Feb 22, 2018 at 05:54:33PM -0500, Gershom B wrote:
>> > In the meantime, as a short term measure, we have changed new account
>> > registration policies on hackage.
>> >
>> > Users can still register as before, but new users do _not_ have upload
>> > rights until they explicitly request them and are granted them by a
>> > human being.
>> >
>> > (This is actually how we had configured hackage to work on initial
>> > deployment -- we loosened things up for some years as the extra step
>> > seemed unnecessary).
>> Does this mean that before the todays change, anyone (or anything)
>> could register and upload packages without any review and without
>> any acknowledgement for trustfulness by another person? Does it
>> maen that one can't trust *any* package on hackage.haskell.org at
>> least a little bit (based on trust between acknowledging persons
>> and reputation) without reviewing the package's source code?
>> Ciao,
>>         Kili
>> _______________________________________________
>> Haskell mailing list
>> Haskell at haskell.org
>> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell

More information about the Haskell-Cafe mailing list