NJBS
commented
6 years ago Open ocramz opened 6 years ago
NJBS
commented
6 years ago 
gbaz
commented
6 years ago Do we need to put hackage on lockdown for the time being? Shoot.
gbaz
commented
6 years ago (i disabled the account just now, but we need to prevent the spammer from making new ones)
NJBS
commented
6 years ago @gbaz thanks, do note however that these packages were uploaded by two accounts: https://hackage.haskell.org/user/hejirumo https://hackage.haskell.org/user/bobo8
Your message makes it seem like you only disabled one, so I just want to make sure it's clear that it's two accounts :smile:
gbaz
commented
6 years ago The other account was disabled earlier.
tfausak
commented
6 years ago gbaz
commented
6 years ago ok we're going to do an emergency redeploy to turn off the add-to-uploaders-by-default for now. ugh.
gbaz
commented
6 years ago Redeploy done.
There aren't too many bad packages uploaded, but it would be good to black-hole them more thoroughly. In the meantime they can be marked deprecated and their spammy descriptions can be revised away.
Related tickets for erasing them more thoroughly from the UI:
https://github.com/haskell/hackage-server/issues/201 https://github.com/haskell/hackage-server/issues/382
hvr
commented
6 years ago I've made revisions to the packages exhibiting signs of unsolicited advertisement reported here.
ocramz
commented
6 years ago Thank you @hvr and @gbaz for responding promptly to this, however the spammy content is still available (in the Cabal file in fact). They are also still visible in the index. I know Hackage is supposed to be write-only, but wouldn't it be possible to intervene by hand and downright delete these packages?
hvr
commented
6 years ago @ocramz Yes we're intending to do so mid/long-term, but since this wasn't a concern in the past and the data model isn't optimised for this, we need to do a bit of preparatory work before we can handle this properly. We just did short-term the things we could do easily, and the rest will come later.
gbaz
commented
6 years ago Looking at the logs I noticed that we were still getting a lot of search traffic to the damn spam packages (I guess the keywords on them were high quality!) so I went and blasted them in the nginx conf with a 410 Gone.
vdorr
commented
6 years ago FYI some people may not get that "No access for this resource" means "After your account is created, you cannot upload until you contact the hackage admins" ;-)
gbaz
commented
6 years ago I'd be happy to take a PR for that. I think the message for the 403 is overridable.
RyanGlScott
commented
6 years ago gbaz
commented
6 years ago Thanks. I disabled that account :-/
gbaz
commented
6 years ago look at these revisions, yipe: http://hackage.haskell.org/package/f-ree-hack-cheats-free-v-bucks-generator-0.2/revisions/
gbaz
commented
6 years ago We should kline the spam packages in the nginx conf again too.
gbaz
commented
6 years ago these packages too http://hackage.haskell.org/user/demigod
expipiplus1
commented
4 years ago Who makes the decision (and how) on what to censor on Hackage? Is there documentation on that constitutes a "fraudulent" package? (not that I disagree with the examples in this thread)
gbaz
commented
4 years ago The hackage admins are the only people with the perms to do this. We only act in the case of obvious spam. For anything contested, the decision would have to revert to the haskell.org committee, but that situation has never occurred.
https://hackage.haskell.org/package/my-test-docs https://hackage.haskell.org/package/Facebook-Password-Hacker-Online-Latest-Version
(I've just sent a mail about it to
librariesas well)