Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spam/fraudulent packages on Hackage #132

Open
ocramz opened this issue Feb 22, 2018 · 21 comments
Open

Spam/fraudulent packages on Hackage #132

ocramz opened this issue Feb 22, 2018 · 21 comments

Comments

@ocramz
Copy link

ocramz commented Feb 22, 2018

https://hackage.haskell.org/package/my-test-docs
https://hackage.haskell.org/package/Facebook-Password-Hacker-Online-Latest-Version

(I've just sent a mail about it to libraries as well)

@NJBS
Copy link

NJBS commented Feb 22, 2018

https://hackage.haskell.org/package/Fortnite-Hack-Cheats-Free-V-Bucks-Generator-1.0.1
https://hackage.haskell.org/package/Clash-Royale-Hack-Cheats

two more malicious uploads

@gbaz
Copy link
Contributor

gbaz commented Feb 22, 2018

Do we need to put hackage on lockdown for the time being? Shoot.

@gbaz
Copy link
Contributor

gbaz commented Feb 22, 2018

(i disabled the account just now, but we need to prevent the spammer from making new ones)

@NJBS
Copy link

NJBS commented Feb 22, 2018

@gbaz thanks, do note however that these packages were uploaded by two accounts:
https://hackage.haskell.org/user/hejirumo
https://hackage.haskell.org/user/bobo8

Your message makes it seem like you only disabled one, so I just want to make sure it's clear that it's two accounts 😄

@gbaz
Copy link
Contributor

gbaz commented Feb 22, 2018

The other account was disabled earlier.

@gbaz
Copy link
Contributor

gbaz commented Feb 22, 2018

ok we're going to do an emergency redeploy to turn off the add-to-uploaders-by-default for now. ugh.

@gbaz
Copy link
Contributor

gbaz commented Feb 22, 2018

Redeploy done.

There aren't too many bad packages uploaded, but it would be good to black-hole them more thoroughly. In the meantime they can be marked deprecated and their spammy descriptions can be revised away.

Related tickets for erasing them more thoroughly from the UI:

haskell/hackage-server#201
haskell/hackage-server#382

@hvr
Copy link
Contributor

hvr commented Feb 22, 2018

I've made revisions to the packages exhibiting signs of unsolicited advertisement reported here.

@ocramz
Copy link
Author

ocramz commented Feb 23, 2018

Thank you @hvr and @gbaz for responding promptly to this, however the spammy content is still available (in the Cabal file in fact).
They are also still visible in the index.
I know Hackage is supposed to be write-only, but wouldn't it be possible to intervene by hand and downright delete these packages?

@hvr
Copy link
Contributor

hvr commented Feb 23, 2018

@ocramz Yes we're intending to do so mid/long-term, but since this wasn't a concern in the past and the data model isn't optimised for this, we need to do a bit of preparatory work before we can handle this properly. We just did short-term the things we could do easily, and the rest will come later.

@gbaz
Copy link
Contributor

gbaz commented Mar 20, 2018

Looking at the logs I noticed that we were still getting a lot of search traffic to the damn spam packages (I guess the keywords on them were high quality!) so I went and blasted them in the nginx conf with a 410 Gone.

@vdorr
Copy link

vdorr commented Mar 27, 2018

FYI some people may not get that "No access for this resource" means "After your account is created, you cannot upload until you contact the hackage admins" ;-)

@gbaz
Copy link
Contributor

gbaz commented Mar 27, 2018

I'd be happy to take a PR for that. I think the message for the 403 is overridable.

@gbaz
Copy link
Contributor

gbaz commented Sep 17, 2018

Thanks. I disabled that account :-/

@gbaz
Copy link
Contributor

gbaz commented Sep 17, 2018

@gbaz
Copy link
Contributor

gbaz commented Sep 17, 2018

We should kline the spam packages in the nginx conf again too.

@gbaz
Copy link
Contributor

gbaz commented Sep 17, 2018

these packages too http://hackage.haskell.org/user/demigod

@expipiplus1
Copy link

Who makes the decision (and how) on what to censor on Hackage? Is there documentation on that constitutes a "fraudulent" package? (not that I disagree with the examples in this thread)

@gbaz
Copy link
Contributor

gbaz commented Nov 1, 2020

The hackage admins are the only people with the perms to do this. We only act in the case of obvious spam. For anything contested, the decision would have to revert to the haskell.org committee, but that situation has never occurred.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants