Integrate "crates.io Policy Update" RFC

see rust-lang/rfcs#3463

Author: Turbo87

app/components/footer.hbs

@@ -22,7 +22,7 @@
     <div>
       <h1>Policies</h1>
       <ul role="list">
-        <li><LinkTo @route="policies">Package Policies</LinkTo></li>
+        <li><LinkTo @route="policies">Usage Policy</LinkTo></li>
         <li><a href="https://www.rust-lang.org/policies/security">Security</a></li>
         <li><a href="https://foundation.rust-lang.org/policies/privacy-policy/">Privacy Policy</a></li>
         <li><a href="https://www.rust-lang.org/policies/code-of-conduct">Code of Conduct</a></li>

app/templates/data-access.hbs

@@ -1,4 +1,4 @@
-<PageHeader @title="Accessing crates.io data" />
+<PageHeader @title="Data Access Policy" />
 
 <p>
   crates.io provides several ways of accessing crate data and metadata,

app/templates/policies.hbs

@@ -1,162 +1,165 @@
-<PageHeader @title="Crates.io Package Policies" />
-
-<p>
-  In general, these policies are guidelines. Problems are often contextual, and
-  exceptional circumstances sometimes require exceptional measures. We plan to
-  continue to clarify and expand these rules over time as new circumstances
-  arise. If your problem is not described below, consider
-  <a href='mailto:[email protected]'>sending us an email</a>.
-</p>
-
-<h2 id='package-ownership'><a href='#package-ownership'>Package Ownership</a></h2>
-
-<p>
-  We have a first-come, first-served policy on crate names. Upon publishing a
-  package, the publisher will be made owner of the package on Crates.io.
-</p>
-
-<p>
-  If someone wants to take over a package, and the previous owner agrees, the
-  existing maintainer can add them as an owner, and the new maintainer can remove
-  them. If necessary, the team may reach out to inactive maintainers and help
-  mediate the process of ownership transfer.
-</p>
-
-<p>
-  Using an automated tool to claim ownership of a large number of package names
-  is not permitted. We reserve the right to block traffic or revoke ownership
-  of any package we determine to have been claimed by an automated tool.
-</p>
-
-<h2 id='removal'><a href='#removal'>Removal</a></h2>
-
-<p>
-  Many questions are specialized instances of a more general form: “Under what
-  circumstances can a package be removed from Crates.io?”
-</p>
-
-<p>
-  The short version is that packages are first-come, first-served, and we won’t
-  attempt to get into policing what exactly makes a legitimate package. We will
-  do what the law requires us to do, and address flagrant violations of the Rust
-  Code of Conduct.
-</p>
-
-<h3 id='delete-crate'><a href='#delete-crate'>How can I delete a crate I own from the registry?</a></h3>
-
-<p>
-  You can't delete crates from the registry, but you can leave it open for
-  transferring ownership to others.
-</p>
-
-<p>
-  To do this, you must publish a version with a message in the README
-  communicating to crates.io support team that you consent to transfer the
-  crate to the first person who asks for it:
-</p>
+<PageHeader @title='Usage Policy' />
+
+<p><strong>Short version:</strong>
+  <em>crates.io is a critical resource for the Rust ecosystem, which hosts a variety of packages from a diverse group of
+    users. That resource is only effective when our users are able to work together as part of a community in good
+    faith. While using crates.io, you must comply with our Acceptable Use Policies, which include some restrictions on
+    content and conduct on crates.io related to user safety, intellectual property, privacy, authenticity, and other
+    limitations. In short, be excellent to each other!</em></p>
+
+<p>We do not allow content or activity on crates.io that:</p>
+
+<ul>
+  <li>violates the <a href='https://www.rust-lang.org/policies/code-of-conduct'>Code of Conduct</a> of the Rust project
+  </li>
+  <li>is unlawful or promotes unlawful activities, incurring legal liability in the countries the Rust Foundation
+    officially operates in
+  </li>
+  <li>is libelous, defamatory, or fraudulent</li>
+  <li>amounts to phishing or attempted phishing</li>
+  <li>infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of
+    publicity, or other right
+  </li>
+  <li>unlawfully shares unauthorized product licensing keys, software for generating unauthorized product licensing
+    keys, or software for bypassing checks for product licensing keys, including extension of a free license beyond its
+    trial period
+  </li>
+  <li>contains malicious code, such as computer viruses, computer worms, rootkits, back doors, or spyware, including
+    content submitted for research purposes (tools designed and documented explicitly to assist in security research are
+    acceptable, but exploits and malware that use the crates.io registry as a deployment or delivery vector are not)
+  </li>
+  <li>uses obfuscation to hide or mask functionality</li>
+  <li>is discriminatory toward, harasses or abuses another individual or group</li>
+  <li>threatens or incites violence toward any individual or group, especially on the basis of who they are
+  </li>
+  <li>is using crates.io as a platform for propagating abuse on other platforms</li>
+  <li>violates the privacy of any third party, such as by posting another person's personal information without
+    consent
+  </li>
+  <li>gratuitously depicts or glorifies violence, including violent images</li>
+  <li>is sexually obscene or relates to sexual exploitation or abuse, including of minors (see &quot;Sexually Obscene
+    Content&quot; section below)
+  </li>
+  <li>is off-topic, or interacts with platform features in a way that significantly or repeatedly disrupts the
+    experience of other users
+  </li>
+  <li>exists only to reserve a name for a prolonged period of time (often called &quot;name squatting&quot;) without
+    having any genuine functionality, purpose, or significant development activity on the corresponding repository
+  </li>
+  <li>is related to buying, selling, or otherwise trading of package names or any other names on crates.io for money or
+    other compensation
+  </li>
+  <li>impersonates any person or entity, including through false association with crates.io, or by fraudulently
+    misrepresenting your identity or site's purpose
+  </li>
+  <li>is related to inauthentic interactions, such as fake accounts and automated inauthentic activity
+  </li>
+  <li>is using our servers for any form of excessive automated bulk activity, to place undue burden on our servers
+    through automated means, or to relay any form of unsolicited advertising or solicitation through our servers, such
+    as get-rich-quick schemes
+  </li>
+  <li>is using our servers for other automated excessive bulk activity or coordinated inauthentic activity, such as
+  </li>
+  <li>spamming</li>
+  <li>cryptocurrency mining</li>
+  <li>is not functionally compatible with the cargo build tool (for example, a &quot;package&quot; cannot simply be a
+    PNG or JPEG image, a movie file, or a text document uploaded directly to the registry)
+  </li>
+  <li>is abusing the package index for purposes it was not intended</li>
+</ul>
+
+<p>You are responsible for using crates.io in compliance with all applicable laws, regulations, and all of our policies.
+  These policies may be updated from time to time. We will interpret our policies and resolve disputes in favor of
+  protecting users as a whole. The crates.io team reserves the possibility to evaluate each instance on a case-by-case
+  basis.</p>
+
+<p>For issues such as DMCA violations, or trademark and copyright infringements, the crates.io team will respect the
+  legal decisions of the <a href='https://rustfoundation.org/'>Rust Foundation</a> as the official legal entity
+  providing the crates.io service.</p>
+
+<h2 id='package-ownership'>Package Ownership</h2>
+
+<p>crates.io has a first-come, first-serve policy on crate names. Upon publishing a package, the publisher will be made
+  owner of the package on crates.io.</p>
+
+<p>If you want to take over a package, we require you to first try and contact the current owner directly. If the
+  current owner agrees, they can add you as an owner of the crate, and you can then remove them, if necessary. If the
+  current owner is not reachable or has not published any contact information the crates.io team may reach out to help
+  mediate the process of the ownership transfer.</p>
+
+<p>Crate deletion by their owners is not possible to keep the registry as immutable as possible. If you want to flag
+  your crate as open for transferring ownership to others, you can publish a new version with a message in the README or
+  description communicating to the crates.io support team that you consent to transfer the crate to the first person who
+  asks for it:</p>
 
 <blockquote>
-  I consent to the transfer of this crate to the first person who asks
-  [email protected] for it.
+  <p>I consent to the transfer of this crate to the first person who asks [email protected] for it.</p>
 </blockquote>
 
-<h3 id='squatting'><a href='#squatting'>Squatting</a></h3>
+<p>The crates.io team may delete crates from the registry that do not comply with the policies on this document. In
+  larger cases of squatting attacks this may happen without prior notification to the author, but in most cases the team
+  will first give the author the chance to justify the purpose of the crate.</p>
 
-<p>
-  We do not have any policies to define 'squatting', and so will not hand over
-  ownership of a package for that reason.
-</p>
+<h2 id='data-access'>Data Access</h2>
 
-<h3 id='the-law'><a href='#the-law'>The Law</a></h3>
+<p>Details on how to access the crates.io data can be found on the dedicated <LinkTo @route="data-access">Data Access
+  Policy</LinkTo> page.</p>
 
-<p>
-  For issues such as DMCA violations, trademark and copyright infringement,
-  Crates.io will respect the <a href='https://foundation.rust-lang.org'>Rust Foundation</a>'s legal decisions with regards to content that
-  is hosted.
-</p>
+<h2 id='security'>Security</h2>
 
-<h3 id='code-of-conduct'><a href='#code-of-conduct'>Code of Conduct</a></h3>
+<p>Safety is one of the core principles of Rust, and to that end, we would like to ensure that cargo and crates.io have
+  secure implementations. To learn more about disclosing security vulnerabilities for these tools, please reference the
+  <a href='https://www.rust-lang.org/policies/security'>Rust Security policy</a>
+  for more details.</p>
 
-<p>
-  The Rust project has a
-  <a href='https://www.rust-lang.org/conduct.html'>Code of Conduct</a>
-  which governs appropriate conduct for the Rust community. In
-  general, any content on Crates.io that violates the Code of Conduct may be
-  removed. Here, content can refer to but is not limited to:
-</p>
+<p>Note that this policy only applies to official Rust projects like crates.io and cargo, and not individual crates. The
+  crates.io team and the Security Response working group are not responsible for the disclosure of vulnerabilities to
+  specific crates, and if any issues are found, you should seek guidance from the individual crate owners and their
+  specific policies instead.</p>
 
-<ul>
-  <li>Package Name</li>
-  <li>Package Metadata</li>
-  <li>Documentation</li>
-  <li>Code</li>
-</ul>
+<p>Thank you for taking the time to responsibly disclose any issues you find.</p>
+
+<h2 id='sexually-obscene-content'>Sexually Obscene Content</h2>
 
-<p>
-  There are two important, related aspects:
-</p>
+<p>We do not tolerate content associated with sexual exploitation or abuse of another individual, including where minors
+  are concerned. We do not allow sexually themed or suggestive content that serves little or no purpose other than to
+  solicit an erotic or shocking response, particularly where that content is amplified by its placement in profiles or
+  other social contexts.</p>
+
+<p>This includes:</p>
 
 <ul>
-  <li>
-    We will not be pro-actively monitoring the site for these kinds of
-    violations, but relying on the community to draw them to our attention.
+  <li>Pornographic content</li>
+  <li>Non-consensual intimate imagery</li>
+  <li>Graphic depictions of sexual acts including photographs, video, animation, drawings, computer-generated images, or
+    text-based content
   </li>
 
-  <li>
-    “Does this violate the Code of Conduct” is a contextual question that
-    cannot be directly answered in the hypothetical sense. All of the details
-    must be taken into consideration in these kinds of situations.
-  </li>
 </ul>
 
-<h2 id='security'><a href='#security'>Security</a></h2>
-
-<p>
-  Cargo and crates.io are projects that are governed by the Rust Programming
-  Language Team. Safety is one of the core principles of Rust, and to that end,
-  we would like to ensure that cargo and crates.io have secure implementations.
-  To learn more about disclosing security vulnerabilities, please reference the
-  <a href='https://www.rust-lang.org/security.html'>Rust Security policy</a> for
-  more details.
-</p>
-
-<p>
-  Thank you for taking the time to responsibly disclose any issues you find.
-</p>
-
-<h2 id='crawlers'><a href='#crawlers'>Crawlers</a></h2>
-
-<p>
-  Before resorting to crawling crates.io, please read
-  <LinkTo @route="data-access">Accessing the Crates.io Data</LinkTo>.
-</p>
-
-<p>
-  We allow our API and website to be crawled by commercial crawlers such as
-  GoogleBot. At our discretion, we may choose to allow access to experimental
-  crawlers, as long as they limit their request rate to 1 request per second or
-  less.
-</p>
-
-<p>
-  We also require all crawlers to provide a user-agent header that allows us to
-  uniquely identify your bot. This allows us to more accurately monitor any
-  impact your bot may have on our service. Providing a user agent that only
-  identifies your HTTP client library (such as "<code>request/0.9.1</code>") increases the
-  likelihood that we will block your traffic.
-
-  It is recommended, but not required, to include contact information in your user
-  agent. This allows us to contact you if we would like a change in your bot's
-  behavior without having to block your traffic.
-</p>
-
-<p>
-  Bad: "<code>User-Agent: reqwest/0.9.1</code>"<br>
-  Better: "<code>User-Agent: my_bot</code>"<br>
-  Best: "<code>User-Agent: my_bot (my_bot.com/info)</code>" or "<code>User-Agent: my_bot (help@my_bot.com)</code>"
-</p>
-
-<p>
-  We reserve the right to block traffic from any bot that we determine to be in
-  violation of this policy or causing an impact on the integrity of our service.
-</p>
+<p>We recognize that not all nudity or content related to sexuality is obscene. We may allow visual and/or textual
+  depictions in artistic, educational, historical or journalistic contexts, or as it relates to victim advocacy. In some
+  cases a disclaimer can help communicate the context of the project.</p>
+
+<h2 id='violations-and-enforcement'>Violations and Enforcement</h2>
+
+<p>crates.io retains full discretion to take action in response to a violation of these policies, including account
+  suspension, account termination, or removal of content.</p>
+
+<p>We will however not be proactively monitoring the site for these kinds of violations, but instead relying on the
+  community to draw them to our attention.</p>
+
+<p>While the majority of interactions between individuals in the Rust community falls within our policies, violations of
+  those policies do occur at times. When they do, the crates.io team may need to take enforcement action to address the
+  violations. In all cases, content and account deletion is permanent and there is no basis to reverse these moderation
+  actions taken by the crates.io team. Account suspension may be lifted at the team's discretion however, for
+  example in the case of someone's account being compromised.</p>
+
+<h2 id='credits-license'>Credits &amp; License</h2>
+
+<p>This policy is partially based on
+  <a href='https://github.com/pypi/warehouse/blob/3c404ada9fed7a03bbf7c3c74e86c383f705d96a/policies/acceptable-use-policy.md'>
+  PyPI’s Acceptable Use Policy</a> and modified from its original form.</p>
+
+<p>Licensed under the
+  <a href='https://creativecommons.org/licenses/by/4.0/'>Creative Commons Attribution 4.0 International license</a>.</p>