-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spam/fraudulent packages on Hackage #132
Comments
Do we need to put hackage on lockdown for the time being? Shoot. |
(i disabled the account just now, but we need to prevent the spammer from making new ones) |
@gbaz thanks, do note however that these packages were uploaded by two accounts: Your message makes it seem like you only disabled one, so I just want to make sure it's clear that it's two accounts 😄 |
The other account was disabled earlier. |
ok we're going to do an emergency redeploy to turn off the add-to-uploaders-by-default for now. ugh. |
Redeploy done. There aren't too many bad packages uploaded, but it would be good to black-hole them more thoroughly. In the meantime they can be marked deprecated and their spammy descriptions can be revised away. Related tickets for erasing them more thoroughly from the UI: |
I've made revisions to the packages exhibiting signs of unsolicited advertisement reported here. |
Thank you @hvr and @gbaz for responding promptly to this, however the spammy content is still available (in the Cabal file in fact). |
@ocramz Yes we're intending to do so mid/long-term, but since this wasn't a concern in the past and the data model isn't optimised for this, we need to do a bit of preparatory work before we can handle this properly. We just did short-term the things we could do easily, and the rest will come later. |
Looking at the logs I noticed that we were still getting a lot of search traffic to the damn spam packages (I guess the keywords on them were high quality!) so I went and blasted them in the nginx conf with a 410 Gone. |
FYI some people may not get that "No access for this resource" means "After your account is created, you cannot upload until you contact the hackage admins" ;-) |
I'd be happy to take a PR for that. I think the message for the 403 is overridable. |
Thanks. I disabled that account :-/ |
look at these revisions, yipe: http://hackage.haskell.org/package/f-ree-hack-cheats-free-v-bucks-generator-0.2/revisions/ |
We should kline the spam packages in the nginx conf again too. |
these packages too http://hackage.haskell.org/user/demigod |
Who makes the decision (and how) on what to censor on Hackage? Is there documentation on that constitutes a "fraudulent" package? (not that I disagree with the examples in this thread) |
The hackage admins are the only people with the perms to do this. We only act in the case of obvious spam. For anything contested, the decision would have to revert to the haskell.org committee, but that situation has never occurred. |
https://hackage.haskell.org/package/my-test-docs
https://hackage.haskell.org/package/Facebook-Password-Hacker-Online-Latest-Version
(I've just sent a mail about it to
libraries
as well)The text was updated successfully, but these errors were encountered: