Add an Acceptable Use Policy (#12550)

Author: di

docker-compose.yml

@@ -4,6 +4,7 @@ volumes:
   simple:
   packages:
   sponsorlogos:
+  policies:
   vault:
 
 services:
@@ -95,6 +96,7 @@ services:
       - .coveragerc:/opt/warehouse/src/.coveragerc:z
       - packages:/var/opt/warehouse/packages
       - sponsorlogos:/var/opt/warehouse/sponsorlogos
+      - policies:/var/opt/warehouse/policies
       - simple:/var/opt/warehouse/simple
       - ./bin:/opt/warehouse/src/bin:z
       - ./requirements:/opt/warehouse/src/requirements:z

policies/acceptable-use-policy.md

@@ -0,0 +1,345 @@
+# Acceptable Use Policy
+
+**Short version:** _PyPI is a critical resource for the Python ecosystem, which
+hosts a variety of projects from a diverse group of users. That resource is
+only effective when our users are able to work together as part of a community
+in good faith. While using PyPI, you must comply with our Acceptable Use
+Policies, which include some restrictions on content and conduct on PyPI
+related to user safety, intellectual property, privacy, authenticity, and other
+limitations. In short, be excellent to each other._
+
+We do not allow content or activity on PyPI that:
+
+- is unlawful or promotes unlawful activities;
+- is sexually obscene or relates to sexual exploitation or abuse, including of
+  minors;
+- is libelous, defamatory, or fraudulent;
+- is discriminatory or abusive toward any individual or group;
+- is false, inaccurate, or intentionally deceptive information and likely to
+  adversely affect the public interest (including health, safety, election
+  integrity, and civic participation);
+- harasses or abuses another individual or group, including our employees,
+  officers, and agents, or other users;
+- threatens or incites violence toward any individual or group, especially on
+  the basis of who they are;
+- gratuitously depicts or glorifies violence, including violent images; or
+- is off-topic, or interacts with platform features in a way that significantly
+  or repeatedly disrupts the experience of other users.
+- infringes any proprietary right of any party, including patent, trademark,
+  trade secret, copyright, right of publicity, or other right;
+- unlawfully shares unauthorized product licensing keys, software for
+  generating unauthorized product licensing keys, or software for bypassing
+  checks for product licensing keys, including extension of a free license beyond
+  its trial period;
+- impersonates any person or entity, including any of our employees or
+  representatives, including through false association with PyPI, or by
+  fraudulently misrepresenting your identity or site's purpose; or
+- violates the privacy of any third party, such as by posting another person's
+  personal information without consent.
+- automated excessive bulk activity and coordinated inauthentic activity, such
+  as
+   - spamming
+   - cryptocurrency mining;
+- bulk distribution of promotions and advertising prohibited by PyPI terms and
+  policies;
+- inauthentic interactions, such as fake accounts and automated inauthentic
+  activity;
+- creation of or participation in secondary markets for the purpose of the
+  proliferation of inauthentic activity;
+- using PyPI as a platform for propagating abuse on other platforms;
+- phishing or attempted phishing; or
+- using our servers for any form of excessive automated bulk activity, to place
+  undue burden on our servers through automated means, or to relay any form of
+  unsolicited advertising or solicitation through our servers, such as
+  get-rich-quick schemes.
+
+You are responsible for using PyPI in compliance with all applicable laws,
+regulations, and all of our Acceptable Use Policies. These policies may be
+updated from time to time and are provided below, as well as in our [Terms of
+Use](https://pypi.org/policy/terms-of-use/). You must not engage in activity
+that significantly harms other users. We will interpret our policies and
+resolve disputes in favor of protecting users as a whole.
+
+
+## Active Malware or Exploits
+
+Being part of a community includes not taking advantage of other members of the
+community. We do not allow anyone to use our platform in direct support of
+unlawful attacks that cause technical harms, such as using PyPI as a means to
+deliver malicious executables or as attack infrastructure, for example by
+organizing denial of service attacks or managing command and control servers.
+Technical harms means overconsumption of resources, physical damage, downtime,
+denial of service, or data loss, with no implicit or explicit dual-use purpose
+prior to the abuse occurring.
+
+Note that this includes dual-use content, including content that is used for
+research into vulnerabilities, malware, or exploits, including bug bounties. We
+consider PyPI to be a platform used primarily for installation and run-time use
+of code, and not for research.
+
+
+## Advertising
+
+While we understand that you may want to promote your Content by posting
+supporters' names or logos in your Account, the primary focus of the Content
+posted in or through your Account to PyPI should not be advertising or
+promotional marketing. You may include static images, links, and promotional
+text in the project descriptions associated with your Account, but they must be
+related to the project you are hosting on PyPI.
+
+You may not promote or distribute content or activity that is illegal or
+otherwise prohibited by our [Terms of Service](TODO) or Acceptable Use
+Policies, including excessive automated bulk activity (for example, spamming),
+get-rich-quick schemes, and misrepresentation or deception related to your
+promotion.
+
+If you decide to post any promotional materials in your Account, you are solely
+responsible for complying with all applicable laws and regulations, including
+without limitation the U.S. Federal Trade Commission's Guidelines on
+Endorsements and Testimonials. We reserve the right to remove any promotional
+materials or advertisements that, in our sole discretion, violate any PyPI
+terms or policies.
+
+
+## Bullying and Harassment
+
+We do not tolerate harassment, bullying, or abuse of any kind, whether directly
+or by encouraging others to take part in the prohibited conduct. This includes:
+
+- Targeted personal attacks
+- Piling on to or orchestrating disruptive activity in a way that amounts to
+  abuse
+- Following another user around the platform in a manner that causes
+  intimidation
+- Making sexual advances or comments directed at another individual
+- Disingenuously participating in conversation in a way that instigates
+  conflict or undermines sincere discussion
+- Creating alternative accounts specifically to evade moderation action taken
+  by PyPI staff or users
+
+Please note, not all unwelcome conduct is necessarily considered harassment.
+For example, disagreeing with another user may not rise to the level of
+harassment on our platform. In addition, sharing criticism of public figures or
+projects, or topics of public interest, does not necessarily fall under this
+policy. However, we encourage you to be mindful in how you engage with other
+users and the platform, as this activity may still violate our restriction on
+disrupting the experience of other users.
+
+
+## Disrupting the Experience of Other Users
+
+Being part of a community includes recognizing how your behavior affects others
+and engaging in meaningful and productive interactions with people and the
+platform they rely on.
+
+We do not allow behavior that significantly or continually disrupts the
+experience of other users.
+
+Please note that disruptive conduct may also violate other restrictions in our
+Acceptable Use Policies. For example, depending on the nature and severity of
+the activity, it may rise to the level of bullying and harassment.
+
+
+## Doxxing and Invasion of Privacy
+
+Misuse of personal information is prohibited.
+
+Any person, entity, or service collecting data from PyPI must comply with the
+[Python Software Foundation Privacy Policy](https://www.python.org/privacy/),
+particularly in regards to the collection of personal information. If you
+collect any personal information from PyPI, you agree that you will only use
+that personal information for the purpose for which that User has authorized
+it. You agree that you will reasonably secure any personal information you have
+gathered from PyPI, and you will respond promptly to complaints, removal
+requests, and "do not contact" requests from us or other users.
+
+Additionally, don't post other people's personal information. This includes:
+
+- Personal, private email addresses
+- Phone numbers
+- Physical addresses or other private location information
+- Bank account information or credit card numbers
+- Social Security/National Identity numbers
+- Passwords
+- Voter information
+- Medical information and personal biometric data
+- Other private information that may pose a safety or security risk
+
+We may consider other information, such as photos or videos that were taken or
+distributed without the subject's consent, to be an invasion of privacy,
+especially when such material presents a safety risk to the subject, such as in
+the case of intimidation or harassment.
+
+PyPI will take context into account as well as whether the reported content is
+publicly available elsewhere. Please note, however, that while sharing publicly
+available content may not be a violation of this policy, if the information is
+shared with the intent to harass or incite other abusive behavior, it may
+violate our prohibition against bullying and harassment.
+
+For more information, or to learn how to report a violation, see our [Code of
+Conduct](https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md).
+
+
+## Hate Speech and Discrimination
+
+PyPI does not tolerate speech that attacks or promotes hate toward an
+individual or group of people on the basis of who they are, including age, body
+size, ability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, sexual identity, or sexual
+orientation. This includes:
+
+- Mocking, attacking, or excluding a person or group based on their beliefs or
+  the characteristics listed above
+- Displaying clear affiliation or identification with known terrorist or
+  violent extremist organizations
+- Supporting or promoting hate groups or hate-based conspiracy theories
+- Sharing symbols or images synonymous with hate
+- Using harmful stereotypes, slurs, or dehumanizing speech
+- Attacking an individual based on their perceived gender
+- Dog whistling; or using coded or suggestive language and/or symbols to
+  promote abuse or hate
+
+While PyPI takes all instances of abuse and harassment on the platform
+seriously, we are especially committed to fighting hate-based abuse where it
+disproportionately affects communities that have historically been targeted by
+such abuse. We aim to make PyPI a place where all individuals feel welcome and
+safe.
+
+
+## Impersonation
+
+You may not misrepresent your identity or your association with another person
+or organization. This includes doing any of the following in a way that
+misleads or deceives others:
+
+- Copying another user's avatar or other personal profile information
+- Posting content under another user's email address
+- Using a deceptively similar username, organization name, or project name
+- Otherwise posing as another individual or organization
+
+Impersonation is a form of harassment and violation of this policy may lead to
+loss of access to your account.
+
+Please note, having a username similar to another is not necessarily
+impersonation. PyPI will take context into account.
+
+
+## Misinformation and Disinformation
+
+You may not post content that presents a distorted view of reality, whether it
+is inaccurate or false (misinformation) or is intentionally deceptive
+(disinformation), where such content is likely to result in harm to the public
+or to interfere with fair and equal opportunities for all to take part in a
+free and open society. This may include:
+- Inaccurate or scientifically unsupported medical claims that endanger public
+  health or safety
+- Manipulated media, whether audio or visual, likely to mislead or deceive in a
+  way that may harm the public interest
+- False or misleading content likely to interfere with an individual's ability
+  to participate in civic activities
+- Unsubstantiated claims that could promote hate or targeted harassment of
+  specific groups of people
+
+We encourage active participation in the expression of ideas, perspectives, and
+experiences and may not be in a position to dispute personal accounts or
+observations. When reviewing content under this policy, PyPI will consider the
+impact of various factors that may help to orient the viewer, such as whether
+the content has been provided with clear disclaimers, citations to credible
+sources, or includes other details that clarify the accuracy of the information
+being shared.
+
+
+## Sexually Obscene Content
+
+We do not tolerate content associated with sexual exploitation or abuse of
+another individual, including where minors are concerned. We do not allow
+sexually themed or suggestive content that serves little or no purpose other
+than to solicit an erotic or shocking response, particularly where that content
+is amplified by its placement in profiles or other social contexts. This
+includes:
+
+- Pornographic content
+- Non-consensual intimate imagery
+- Graphic depictions of sexual acts including photographs, video, animation,
+  drawings, computer-generated images, or text-based content
+
+We recognize that not all nudity or content related to sexuality is obscene. We
+may allow visual and/or textual depictions in artistic, educational, historical
+or journalistic contexts, or as it relates to victim advocacy. In some cases a
+disclaimer can help communicate the context of the project. However, please
+understand that we may choose to limit the content by giving users the option
+to opt in before viewing.
+
+
+## Threats of Violence and Gratuitously Violent Content
+
+You may not use PyPI to organize, promote, encourage, threaten, or incite acts
+of violence. You may not post content that depicts or glorifies violence or
+physical harm against human beings or animals. This includes:
+
+- Threatening another individual or group with abuse, harm, sexual violence, or
+  death
+- Posting text, imagery, or audio content glorifying or containing a graphic
+  depiction of violence toward oneself, another individual, group, or animal
+- Encouraging another individual to engage in self harm
+
+
+## Usage Limits
+
+You will not reproduce, duplicate, copy, sell, resell or exploit any portion of
+PyPI, use of PyPI, or access to PyPI without our express written permission.
+
+You may use information from PyPI for the following reasons, regardless of
+whether the information was scraped, collected through our API, or obtained
+otherwise:
+
+-  Researchers may use public, non-personal information from PyPI for research
+   purposes, only if any publications resulting from that research are [open
+   access](https://en.wikipedia.org/wiki/Open_access).
+-  Archivists may use public information from PyPI for archival purposes.
+
+Scraping refers to extracting information from PyPI via an automated process,
+such as a bot or webcrawler. Scraping does not refer to the collection of
+information through our API.
+
+You may not use information from PyPI (whether scraped, collected through our
+API, or obtained otherwise) for spamming purposes, including for the purposes
+of sending unsolicited emails to users or selling personal information, such as
+to recruiters, headhunters, and job boards.
+
+Your use of information from PyPI must comply with the [Python Software
+Foundation Privacy Policy](https://www.python.org/privacy/).
+
+PyPI generally does not impose resource limitations on any features. If we
+determine your usage of PyPI to be significantly excessive in relation to other
+users of similar features, we reserve the right to suspend your Account,
+throttle your requests, or otherwise limit your activity until you can reduce
+your usage.
+
+You may not use our servers to disrupt or to attempt to disrupt, or to gain or
+to attempt to gain unauthorized access to, any service, device, data, account
+or network.
+
+
+## Violations and Enforcement
+
+PyPI retains full discretion to take action in response to a violation of these
+policies, including account suspension, account termination, or removal of
+content.
+
+While the majority of interactions between individuals in PyPI’s community fall
+within our Acceptable Use Policies and Community Guidelines, violations of
+those policies do occur at times. When they do, PyPI staff may need to take
+enforcement action to address the violations. In all cases, these actions are
+permanent and there is no basis to reverse a moderation action taken by PyPI
+Staff.
+
+
+## Credits & License
+
+This policy is based on [GitHub’s Acceptable Use
+Policies](https://docs.github.com/en/site-policy/acceptable-use-policies/) and
+modified from its original form.
+
+Licensed under the [Creative Commons Attribution 4.0 International
+license](https://creativecommons.org/licenses/by/4.0/).

tests/unit/test_routes.py

@@ -656,4 +656,7 @@ def add_policy(name, filename):
         ),
     ]
 
-    assert config.add_policy.calls == [pretend.call("terms-of-use", "terms.md")]
+    assert config.add_policy.calls == [
+        pretend.call("terms-of-use", "terms.md"),
+        pretend.call("acceptable-use-policy", "acceptable-use-policy.md"),
+    ]

warehouse/routes.py

@@ -57,6 +57,7 @@ def includeme(config):
 
     # Our legal policies
     config.add_policy("terms-of-use", "terms.md")
+    config.add_policy("acceptable-use-policy", "acceptable-use-policy.md")
     config.add_template_view(
         "trademarks",
         "/trademarks/",