-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M.-A. Lemburg wrote: > Tarek Ziadé wrote: >> On Thu, May 6, 2010 at 5:18 PM, M.-A. Lemburg <[email protected]> wrote: >> [..] >>> Sorry, perhaps I wasn't clear: when uploading things to PyPI >>> you accept the PyPI terms. These terms currently allow anyone >>> to take the data from PyPI and publically redistribute it >>> without any restrictions. >>> >>> I think it's better to only allow the PSF to redistribute data >>> that it got from the PyPI package authors. >> I am not sure what it means that the PSF redistributes data. Is this >> http://www.python.org/about/legal or another text ? > > That text needs some care as well, yes. I was referring to this text > on PyPI: > > http://pypi.python.org/pypi?%3Aaction=register_form > """ > By registering to upload content to PyPI, I agree and affirmatively > acknowledge the following: > > 1. Content is restricted to Python packages and related information only. > 2. Any content uploaded to PyPI is provided on a non-confidential basis. > 3. The PSF is free to use or disseminate any content that I upload on an > unrestricted basis for > any purpose. In particular, the PSF and all other users of the web site are > granted an irrevocable, > worldwide, royalty-free, nonexclusive license to reproduce, distribute, > transmit, display, perform, > and publish the content, including in digital form. > 4. I represent and warrant that I have complied with all government > regulations concerning the > transfer or export of any content I upload to PyPI. In particular, if I am > subject to United States > law, I represent and warrant that I have obtained the proper governmental > authorization for the > export of the content I upload. I further affirm that any content I provide > is not intended for use > by a government end-user as defined in part 772 of the United States Export > Administration Regulations. > """ > >> A list of prohibited usage (combined with authentication) should be >> enough to prevent the problem >> as far as I understand. >> >> For instance, here's SourceForge's one >> >> http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#a2.YOURUSEOFSOURCEFORGE.NET >> >> Extract: >> >> ...using any information obtained from SourceForge.net in order to >> contact, advertise to, solicit, or sell to any >> user without such user's prior explicit consent (including >> non-commercial contacts like chain letters); > > Right, we'd need something along those lines. > >> [..] >>>> What I propose is: >>>> >>>> - set up authentication for the XML-RPC APIs, in order to control >>>> this. If a user starts to use >>>> XML-RPC calls in his bots, it's easy to shut it down. >>>> >>>> - set up a restricted list of subscribers for the PubSubHubbub >>>> protocol (I am not sure if this protocol >>>> supports authentication, but I guess we can set something up) >>>> >>>> - avoid displaying any email or derived emails on anonymous page >>> I'm not sure how that would work. Package manager tools would >>> then all have to use this authentication mechanism. >> Yes but they would need to use an account therefore have an identity >> when they run their scripts. > > Hmm, wouldn't that require all pip users to have PyPI account ?
I *think* PIP uses the "/simple" API (the RESTy one), rather than XMLRPC. That is certainly how setuptools / distribute work, anyway. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 [email protected] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkvjDBAACgkQ+gerLs4ltQ5yCQCfV6Voc2nET6JtMJjDkrP0cPnc TYwAnRNQDeE8KVBuGuqu8+OpN23oGWuf =LKnD -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
