Implement publish notifications opt-out #9359
Conversation
Turbo87
added
C-enhancement ✨
Turbo87
force-pushed
the
publish-notifications-opt-out
branch
from
c5bc766 to
520453d
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #9359 +/- ##
==========================================
+ Coverage 89.06% 89.09% +0.03%
==========================================
Files 285 286 +1
Lines 28938 29032 +94
==========================================
+ Hits 25773 25867 +94
Misses 3165 3165 ☔ View full report in Codecov by Sentry. |
Turbo87
force-pushed
the
publish-notifications-opt-out
branch
3 times, most recently
from
d4225c1 to
4a86805
Compare
|
I assume the email should be updated with an "Unsubscribe" link to make sure people are aware of this. In general, I think enabled-by-default will make security worse, not better. First, the concern over the lack of an opt-out was raised about a year ago. In that discussion, I called out the security risks of spamming people with this. Even when "unsubscribe" links are provided, it seems users are more inclined to click the "spam" button than to unsubscribe. Email providers seem to cross-pollinate that information between accounts and start treating it as spam even if you never said it was. This means one user not wanting email notifications can effectively opt-out other users from getting these emails! A user who wants the emails is trusting in the system to receive them and think everything is ok because they haven't received one. It can be easy to overlook the lack of emails being sent when you do your own publishes, if you are in that scenario. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Without diminishing the pain this is causing. Why has this been such a large issue in our community when many other ecosystems do not provide an opt out? pypi, npn, and others do not have an opt out. what is different about the implementation or the community to cause the disparate impact?
A non-distributed version of this problem is also a problem if we provide an opt out. An attacker can opt out then publish then opt back in so that the website still says your opted in but you never got the email for the publish. |
As I brought up on zulip, I have no idea what policy PyPI uses but I've never received a notification for a publish to PyPI. I am a sole owner on a couple of packages and published one this morning. We also shouldn't blindly copy from other ecosystems but see what lessons we can learn from them and adapt accordingly. |
At least what makes me really want this feature is the "owner accounts" pattern that is popular in crates from large organizations. For example, I receive notifications from @rust-lang-owner, and that means every monday I get ~35 emails about rust-analyzer being published, or ~10 emails when cargo gets published after a new release, and random emails whenever a CI workflow somewhere in the rust-lang org publishes a crate. Those emails are pure noise, because I am not involved in any way about those crate publishes, and I can't verify whether those were intentional or not.
We can have the website send an email whenever notifications are disabled and enabled, to ensure there are at least some mails receive. We can make that "notifications disabled" email as scary as it needs to be. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@rust-lang/crates-io this still needs a review... 😉 |
…h the `publish_notifications` flag set
This field can be used to check if the logged in user is currently subscribed to publish notifications.
Currently only the `email` field is supported, but that is about to change. Unfortunately with `serde_json` it is hard to differentiate between `email: null` and the `email` field not existing, since both are decoded as `Option::None`. Since our frontend does not send `email: null` and the endpoint does not appear to be used via token authentication this seems like a viable change. Side note: This endpoint is behaving like a `PATCH` endpoint, but is currently using the `PUT` HTTP method for legacy reasons.
This field can be used to un-/resubscribe to publish notifications. When a user unsubscribes they get an email notification.
Turbo87
force-pushed
the
publish-notifications-opt-out
branch
from
4a86805 to
1fb1163
Compare
It looks like some people are rather unhappy about the new publish notifications introduced in #9341 (see https://rust-lang.zulipchat.com/#narrow/stream/318791-t-crates-io/topic/publish.20notification.20emails/near/465824072 and #9355).
This PR adds a per-user settings flag to opt-out of these notifications:
This PR is best reviewed commit by commit 😉
Resolves #9355