Crates.io incident 2018-10-15


#50

Maybe I’m wrong, but my impression is that the topic of squatting came up again because it started to be perceived by a non-trivial subset of the community as a growing problem that is becoming a real pain point.

Perhaps a discussion that needs to happen is “Is the rust community willing to re-discuss decisions later? Or are we taking the stance that once we have made a decision, we will own it and see how it plays out?”.

Personally, I think both sides have merits. Re-discussion can help address concerns once we have more information about problematic outcomes. At the same time, if the discussion doesn’t go anywhere, it can just be demoralizing and exhausting for everyone.


#51

I’m about to go to lunch, so I’ll be making more substantial replies later, but I absolutely think that this lies on a spectrum. I chose an extreme example on purpose, I’m not saying that this specific topic is that extreme. Even the 2014 post acknowledged that we’ll feel these out over time.


#52

It’s cool! No worries :slight_smile:

So, I thought I had a lot to say to respond to you, but now that I re-read it carefully, I’m not sure I do :slight_smile: I don’t necessarily disagree with much of what you’ve said.

I do have one small thing, I guess. I don’t even think that some of the discussions need to be moved from internals. Nobody is advocating closing the namespacing threads, for example. But I do think there’s mis-matched expectations about who is supposed to be participating in them. Sometimes, people do participate in internals, but it’s really a more free-flowing space. With limited time, many team members don’t read internals. Since the RFC process is the way to actually affect changes, they stick to that, which is their job. But it seems like some people in these various threads read this as somehow “ignoring” the discussion. Or that the team “isn’t listening.” But that’s because these things aren’t being asked in the right place! Or rather, this is the right place to discuss a bunch of stuff, in order to prepare the work of an RFC. But if you really want a response from the team, posting an RFC or emailing them is a better way to get them to notice than assuming they’ll reply on internals. This is mostly just due to the nature of Rust’s growth; not everyone has the time to keep up with every single possible conversation that might be relevant to their team.


#53

When I originally read about the incident, I thought there was ‘hacking’ involved, rather than simply creating an account with a disingenuous name. Perhaps in future announcements, this distinction could be given more clarity?


#54

You can split hairs about what qualifies as “hacking”, but pushing a system to the point that it becomes unresponsive for everyone is definitely unacceptable abuse in my opinion. From the blog post:

The rate at which this user uploaded packages eventually resulted in our servers being throttled by GitHub, causing a slowdown in all package uploads or yanks.

  • 20:17 UTC: All requests updating the index begin to take 10+ seconds

#55

OTOH a rate of 1 request per 2 seconds is not that much. It’s good that cratesio is getting rate limiting.


#56

i’m replying here for the purposes of clarifying/correcting some of the vibes that folks appear to have gotten.

i am on the crates.io team. this team is very very new. it formed when @sgrif and i were dealing with an incident in April around the project and realized that we clearly needed more focus and support for the service.

i have seen some sentiment as follows:

  • the team will only act when it is convinced
  • folks should just fork crates.io and make their own service
  • we aren’t willing to “rehash” decisions that are already made

i’d like to correct this.

  1. we make decisions exactly the same way all the other teams do: RFC -> consensus. there are a lot of emotions here and i think there’s been some confusing comments from everyone.
  2. please join the team’s meetings (every thursday 4pm ET) as an observer. you can ping me personally or ping crates-io-team on discord. we also have a channel, ops/#crates-io, we also have an email, help@crates.io. joining as an observer is the first step to joining the team. you can fully participate in our conversations.
  3. auditing our current policies and their effectiveness is on our list of goals for the team. we will indeed be discussing them. that may lead to change, or it may not, but i want to be clear that we think talking about it is Actually Good. though, much of the way it has been discussed on this an other forums has made that very hard. (if we spend all our time reacting we cannot take proactive action) - that being said, i do not think a universe where we consistently rehash policy is a good (or possible) one (time is not infinite), i think we can schedule audits, probably on a yearly basis to see if things need to change.

we are a small team currently. we’d like to grow. we cover so many different aspects of the crates.io service. there’s lots to do. getting aggro here is not useful, and i direct that to everyone involved. rust moves slowly and deliberately and we have literally never made policy based on a collection of heated threads from forums and that is not gonna change for this specific request. please take this energy and channel it into constructive participation in the team process.


#57

My point was about accurately communicating the situation, not about whether it was abusive.