Skip to content

Commit

Permalink
Integrate "crates.io Policy Update" RFC
Browse files Browse the repository at this point in the history 
see rust-lang/rfcs#3463
  • Loading branch information
@Turbo87
Turbo87 committed Nov 10, 2023
1 parent 9699793 commit b63e9c6
Show file tree
Hide file tree
Showing 3 changed files with 133 additions and 145 deletions.
2 changes: 1 addition & 1 deletion app/components/footer.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
<div>
<h1>Policies</h1>
<ul role="list">
<li><LinkTo @route="policies">Package Policies</LinkTo></li>
<li><LinkTo @route="policies">Usage Policy</LinkTo></li>
<li><a href="https://www.rust-lang.org/policies/security">Security</a></li>
<li><a href="https://foundation.rust-lang.org/policies/privacy-policy/">Privacy Policy</a></li>
<li><a href="https://www.rust-lang.org/policies/code-of-conduct">Code of Conduct</a></li>
Expand Down
2 changes: 1 addition & 1 deletion app/templates/data-access.hbs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<PageHeader @title="Accessing crates.io data" />
<PageHeader @title="Data Access Policy" />

<TextContent @boxed={{true}}>
<p>
Expand Down
274 changes: 131 additions & 143 deletions app/templates/policies.hbs
View file
Original file line number Diff line number Diff line change
@@ -1,164 +1,152 @@
<PageHeader @title="Crates.io Package Policies" />
<PageHeader @title='Usage Policy' />

<TextContent @boxed={{true}}>
<p>
In general, these policies are guidelines. Problems are often contextual, and
exceptional circumstances sometimes require exceptional measures. We plan to
continue to clarify and expand these rules over time as new circumstances
arise. If your problem is not described below, consider
<a href='mailto:[email protected]'>sending us an email</a>.
</p>

<h2 id='package-ownership'><a href='#package-ownership'>Package Ownership</a></h2>

<p>
We have a first-come, first-served policy on crate names. Upon publishing a
package, the publisher will be made owner of the package on Crates.io.
</p>

<p>
If someone wants to take over a package, and the previous owner agrees, the
existing maintainer can add them as an owner, and the new maintainer can remove
them. If necessary, the team may reach out to inactive maintainers and help
mediate the process of ownership transfer.
</p>

<p>
Using an automated tool to claim ownership of a large number of package names
is not permitted. We reserve the right to block traffic or revoke ownership
of any package we determine to have been claimed by an automated tool.
</p>

<h2 id='removal'><a href='#removal'>Removal</a></h2>

<p>
Many questions are specialized instances of a more general form: “Under what
circumstances can a package be removed from Crates.io?”
</p>

<p>
The short version is that packages are first-come, first-served, and we won’t
attempt to get into policing what exactly makes a legitimate package. We will
do what the law requires us to do, and address flagrant violations of the Rust
Code of Conduct.
</p>

<h3 id='delete-crate'><a href='#delete-crate'>How can I delete a crate I own from the registry?</a></h3>

<p>
You can't delete crates from the registry, but you can leave it open for
transferring ownership to others.
</p>

<p>
To do this, you must publish a version with a message in the README
communicating to crates.io support team that you consent to transfer the
crate to the first person who asks for it:
</p>
<p><strong>Short version:</strong>
<em>crates.io is a critical resource for the Rust ecosystem, which hosts a variety of packages from a diverse group of
users. That resource is only effective when our users are able to work together as part of a community in good
faith. While using crates.io, you must comply with our Acceptable Use Policies, which include some restrictions on
content and conduct on crates.io related to user safety, intellectual property, privacy, authenticity, and other
limitations. In short, be excellent to each other!</em></p>

<p>We do not allow content or activity on crates.io that:</p>

<ul>
<li>violates the <a href='https://www.rust-lang.org/policies/code-of-conduct'>Code of Conduct</a> of the Rust project</li>
<li>is unlawful or promotes unlawful activities, incurring legal liability in the countries the Rust Foundation
officially operates in</li>
<li>is libelous, defamatory, or fraudulent</li>
<li>amounts to phishing or attempted phishing</li>
<li>infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of
publicity, or other right</li>
<li>unlawfully shares unauthorized product licensing keys, software for generating unauthorized product licensing
keys, or software for bypassing checks for product licensing keys, including extension of a free license beyond its
trial period</li>
<li>contains malicious code, such as computer viruses, computer worms, rootkits, back doors, or spyware, including
content submitted for research purposes (tools designed and documented explicitly to assist in security research are
acceptable, but exploits and malware that use the crates.io registry as a deployment or delivery vector are not)</li>
<li>uses obfuscation to hide or mask functionality</li>
<li>is discriminatory toward, harasses or abuses another individual or group</li>
<li>threatens or incites violence toward any individual or group, especially on the basis of who they are</li>
<li>is using crates.io as a platform for propagating abuse on other platforms</li>
<li>violates the privacy of any third party, such as by posting another person's personal information without
consent</li>
<li>gratuitously depicts or glorifies violence, including violent images</li>
<li>is sexually obscene or relates to sexual exploitation or abuse, including of minors (see &quot;Sexually Obscene
Content&quot; section below)</li>
<li>is off-topic, or interacts with platform features in a way that significantly or repeatedly disrupts the
experience of other users</li>
<li>exists only to reserve a name for a prolonged period of time (often called &quot;name squatting&quot;) without
having any genuine functionality, purpose, or significant development activity on the corresponding repository</li>
<li>is related to buying, selling, or otherwise trading of package names or any other names on crates.io for money or
other compensation</li>
<li>impersonates any person or entity, including through false association with crates.io, or by fraudulently
misrepresenting your identity or site's purpose</li>
<li>is related to inauthentic interactions, such as fake accounts and automated inauthentic activity</li>
<li>is using our servers for any form of excessive automated bulk activity, to place undue burden on our servers
through automated means, or to relay any form of unsolicited advertising or solicitation through our servers, such
as get-rich-quick schemes</li>
<li>is using our servers for other automated excessive bulk activity or coordinated inauthentic activity, such as</li>
<li>spamming</li>
<li>cryptocurrency mining</li>
<li>is not functionally compatible with the cargo build tool (for example, a &quot;package&quot; cannot simply be a
PNG or JPEG image, a movie file, or a text document uploaded directly to the registry)</li>
<li>is abusing the package index for purposes it was not intended</li>
</ul>

<p>You are responsible for using crates.io in compliance with all applicable laws, regulations, and all of our policies.
These policies may be updated from time to time. We will interpret our policies and resolve disputes in favor of
protecting users as a whole. The crates.io team reserves the possibility to evaluate each instance on a case-by-case
basis.</p>

<p>For issues such as DMCA violations, or trademark and copyright infringements, the crates.io team will respect the
legal decisions of the <a href='https://rustfoundation.org/'>Rust Foundation</a> as the official legal entity
providing the crates.io service.</p>

<h2 id='package-ownership'>Package Ownership</h2>

<p>crates.io has a first-come, first-serve policy on crate names. Upon publishing a package, the publisher will be made
owner of the package on crates.io.</p>

<p>If you want to take over a package, we require you to first try and contact the current owner directly. If the
current owner agrees, they can add you as an owner of the crate, and you can then remove them, if necessary. If the
current owner is not reachable or has not published any contact information the crates.io team may reach out to help
mediate the process of the ownership transfer.</p>

<p>Crate deletion by their owners is not possible to keep the registry as immutable as possible. If you want to flag
your crate as open for transferring ownership to others, you can publish a new version with a message in the README or
description communicating to thecrates.io support team that you consent to transfer the crate to the first person who
asks for it:</p>

<blockquote>
I consent to the transfer of this crate to the first person who asks
[email protected] for it.
</blockquote>

<h3 id='squatting'><a href='#squatting'>Squatting</a></h3>
<p>The crates.io team may delete crates from the registry that do not comply with the policies on this document. In
larger cases of squatting attacks this may happen without prior notification to the author, but in most cases the team
will first give the author the chance to justify the purpose of the crate.</p>

<p>
We do not have any policies to define 'squatting', and so will not hand over
ownership of a package for that reason.
</p>
<h2 id='data-access'>Data Access</h2>

<h3 id='the-law'><a href='#the-law'>The Law</a></h3>
<p>Details on how to access the crates.io data can be found on the dedicated <LinkTo @route="data-access">Data Access
Policy</LinkTo> page.</p>

<p>
For issues such as DMCA violations, trademark and copyright infringement,
Crates.io will respect the <a href='https://foundation.rust-lang.org'>Rust Foundation</a>'s legal decisions with regards to content that
is hosted.
</p>
<h2 id='security'>Security</h2>

<h3 id='code-of-conduct'><a href='#code-of-conduct'>Code of Conduct</a></h3>
<p>Safety is one of the core principles of Rust, and to that end, we would like to ensure that cargo and crates.io have
secure implementations. To learn more about disclosing security vulnerabilities for these tools, please reference the
<a href='https://www.rust-lang.org/policies/security'>Rust Security policy</a>
for more details.</p>

<p>
The Rust project has a
<a href='https://www.rust-lang.org/conduct.html'>Code of Conduct</a>
which governs appropriate conduct for the Rust community. In
general, any content on Crates.io that violates the Code of Conduct may be
removed. Here, content can refer to but is not limited to:
</p>
<p>Note that this policy only applies to official Rust projects like crates.io and cargo, and not individual crates. The
crates.io team and the Security Response working group are not responsible for the disclosure of vulnerabilities to
specific crates, and if any issues are found, you should seek guidance from the individual crate owners and their
specific policies instead.</p>

<ul>
<li>Package Name</li>
<li>Package Metadata</li>
<li>Documentation</li>
<li>Code</li>
</ul>
<p>Thank you for taking the time to responsibly disclose any issues you find.</p>

<p>
There are two important, related aspects:
</p>
<h2 id='sexually-obscene-content'>Sexually Obscene Content</h2>

<p>We do not tolerate content associated with sexual exploitation or abuse of another individual, including where minors
are concerned. We do not allow sexually themed or suggestive content that serves little or no purpose other than to
solicit an erotic or shocking response, particularly where that content is amplified by its placement in profiles or
other social contexts.</p>

<p>This includes:</p>

<ul>
<li>
We will not be pro-actively monitoring the site for these kinds of
violations, but relying on the community to draw them to our attention.
<li>Pornographic content</li>
<li>Non-consensual intimate imagery</li>
<li>Graphic depictions of sexual acts including photographs, video, animation, drawings, computer-generated images, or
text-based content
</li>

<li>
“Does this violate the Code of Conduct” is a contextual question that
cannot be directly answered in the hypothetical sense. All of the details
must be taken into consideration in these kinds of situations.
</li>
</ul>
</ul>

<p>We recognize that not all nudity or content related to sexuality is obscene. We may allow visual and/or textual
depictions in artistic, educational, historical or journalistic contexts, or as it relates to victim advocacy. In some
cases a disclaimer can help communicate the context of the project.</p>

<h2 id='violations-and-enforcement'>Violations and Enforcement</h2>

<p>crates.io retains full discretion to take action in response to a violation of these policies, including account
suspension, account termination, or removal of content.</p>

<p>We will however not be proactively monitoring the site for these kinds of violations, but instead relying on the
community to draw them to our attention.</p>

<p>While the majority of interactions between individuals in the Rust community falls within our policies, violations of
those policies do occur at times. When they do, the crates.io team may need to take enforcement action to address the
violations. In all cases, content and account deletion is permanent and there is no basis to reverse these moderation
actions taken by the crates.io team. Account suspension may be lifted at the team's discretion however, for
example in the case of someone's account being compromised.</p>

<h2 id='credits-license'>Credits &amp; License</h2>

<p>This policy is partially based on
<a href='https://github.com/pypi/warehouse/blob/3c404ada9fed7a03bbf7c3c74e86c383f705d96a/policies/acceptable-use-policy.md'>
PyPI’s Acceptable Use Policy</a> and modified from its original form.</p>

<h2 id='security'><a href='#security'>Security</a></h2>

<p>
Cargo and crates.io are projects that are governed by the Rust Programming
Language Team. Safety is one of the core principles of Rust, and to that end,
we would like to ensure that cargo and crates.io have secure implementations.
To learn more about disclosing security vulnerabilities, please reference the
<a href='https://www.rust-lang.org/security.html'>Rust Security policy</a> for
more details.
</p>

<p>
Thank you for taking the time to responsibly disclose any issues you find.
</p>

<h2 id='crawlers'><a href='#crawlers'>Crawlers</a></h2>

<p>
Before resorting to crawling crates.io, please read
<LinkTo @route="data-access">Accessing the Crates.io Data</LinkTo>.
</p>

<p>
We allow our API and website to be crawled by commercial crawlers such as
GoogleBot. At our discretion, we may choose to allow access to experimental
crawlers, as long as they limit their request rate to 1 request per second or
less.
</p>

<p>
We also require all crawlers to provide a user-agent header that allows us to
uniquely identify your bot. This allows us to more accurately monitor any
impact your bot may have on our service. Providing a user agent that only
identifies your HTTP client library (such as "<code>request/0.9.1</code>") increases the
likelihood that we will block your traffic.

It is recommended, but not required, to include contact information in your user
agent. This allows us to contact you if we would like a change in your bot's
behavior without having to block your traffic.
</p>

<p>
Bad: "<code>User-Agent: reqwest/0.9.1</code>"<br>
Better: "<code>User-Agent: my_bot</code>"<br>
Best: "<code>User-Agent: my_bot (my_bot.com/info)</code>" or "<code>User-Agent: my_bot (help@my_bot.com)</code>"
</p>

<p>
We reserve the right to block traffic from any bot that we determine to be in
violation of this policy or causing an impact on the integrity of our service.
</p>
<p>Licensed under the
<a href='https://creativecommons.org/licenses/by/4.0/'>Creative Commons Attribution 4.0 International license</a>.</p>
</TextContent>

0 comments on commit b63e9c6

Please sign in to comment.