From b63e9c6ae7753058ca8551d0dcff9b964536be5f Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Tue, 7 Nov 2023 10:41:38 +0100
Subject: [PATCH] Integrate "crates.io Policy Update" RFC

see https://github.com/rust-lang/rfcs/pull/3463
---
 app/components/footer.hbs     |   2 +-
 app/templates/data-access.hbs |   2 +-
 app/templates/policies.hbs    | 274 ++++++++++++++++------------------
 3 files changed, 133 insertions(+), 145 deletions(-)

diff --git a/app/components/footer.hbs b/app/components/footer.hbs
index e25435dc090..4f8c37c73e9 100644
--- a/app/components/footer.hbs
+++ b/app/components/footer.hbs
@@ -22,7 +22,7 @@
     <div>
       <h1>Policies</h1>
       <ul role="list">
-        <li><LinkTo @route="policies">Package Policies</LinkTo></li>
+        <li><LinkTo @route="policies">Usage Policy</LinkTo></li>
         <li><a href="https://www.rust-lang.org/policies/security">Security</a></li>
         <li><a href="https://foundation.rust-lang.org/policies/privacy-policy/">Privacy Policy</a></li>
         <li><a href="https://www.rust-lang.org/policies/code-of-conduct">Code of Conduct</a></li>
diff --git a/app/templates/data-access.hbs b/app/templates/data-access.hbs
index fba00a2a41c..99a208669c4 100644
--- a/app/templates/data-access.hbs
+++ b/app/templates/data-access.hbs
@@ -1,4 +1,4 @@
-<PageHeader @title="Accessing crates.io data" />
+<PageHeader @title="Data Access Policy" />
 
 <TextContent @boxed={{true}}>
   <p>
diff --git a/app/templates/policies.hbs b/app/templates/policies.hbs
index 52d7a86b433..da9072fb1e2 100644
--- a/app/templates/policies.hbs
+++ b/app/templates/policies.hbs
@@ -1,164 +1,152 @@
-<PageHeader @title="Crates.io Package Policies" />
+<PageHeader @title='Usage Policy' />
 
 <TextContent @boxed={{true}}>
-  <p>
-    In general, these policies are guidelines. Problems are often contextual, and
-    exceptional circumstances sometimes require exceptional measures. We plan to
-    continue to clarify and expand these rules over time as new circumstances
-    arise. If your problem is not described below, consider
-    <a href='mailto:help@crates.io'>sending us an email</a>.
-  </p>
-
-  <h2 id='package-ownership'><a href='#package-ownership'>Package Ownership</a></h2>
-
-  <p>
-    We have a first-come, first-served policy on crate names. Upon publishing a
-    package, the publisher will be made owner of the package on Crates.io.
-  </p>
-
-  <p>
-    If someone wants to take over a package, and the previous owner agrees, the
-    existing maintainer can add them as an owner, and the new maintainer can remove
-    them. If necessary, the team may reach out to inactive maintainers and help
-    mediate the process of ownership transfer.
-  </p>
-
-  <p>
-    Using an automated tool to claim ownership of a large number of package names
-    is not permitted. We reserve the right to block traffic or revoke ownership
-    of any package we determine to have been claimed by an automated tool.
-  </p>
-
-  <h2 id='removal'><a href='#removal'>Removal</a></h2>
-
-  <p>
-    Many questions are specialized instances of a more general form: “Under what
-    circumstances can a package be removed from Crates.io?”
-  </p>
-
-  <p>
-    The short version is that packages are first-come, first-served, and we won’t
-    attempt to get into policing what exactly makes a legitimate package. We will
-    do what the law requires us to do, and address flagrant violations of the Rust
-    Code of Conduct.
-  </p>
-
-  <h3 id='delete-crate'><a href='#delete-crate'>How can I delete a crate I own from the registry?</a></h3>
-
-  <p>
-    You can't delete crates from the registry, but you can leave it open for
-    transferring ownership to others.
-  </p>
-
-  <p>
-    To do this, you must publish a version with a message in the README
-    communicating to crates.io support team that you consent to transfer the
-    crate to the first person who asks for it:
-  </p>
+  <p><strong>Short version:</strong>
+    <em>crates.io is a critical resource for the Rust ecosystem, which hosts a variety of packages from a diverse group of
+    users. That resource is only effective when our users are able to work together as part of a community in good
+    faith. While using crates.io, you must comply with our Acceptable Use Policies, which include some restrictions on
+    content and conduct on crates.io related to user safety, intellectual property, privacy, authenticity, and other
+    limitations. In short, be excellent to each other!</em></p>
+
+  <p>We do not allow content or activity on crates.io that:</p>
+
+  <ul>
+    <li>violates the <a href='https://www.rust-lang.org/policies/code-of-conduct'>Code of Conduct</a> of the Rust project</li>
+    <li>is unlawful or promotes unlawful activities, incurring legal liability in the countries the Rust Foundation
+      officially operates in</li>
+    <li>is libelous, defamatory, or fraudulent</li>
+    <li>amounts to phishing or attempted phishing</li>
+    <li>infringes any proprietary right of any party, including patent, trademark, trade secret, copyright, right of
+      publicity, or other right</li>
+    <li>unlawfully shares unauthorized product licensing keys, software for generating unauthorized product licensing
+      keys, or software for bypassing checks for product licensing keys, including extension of a free license beyond its
+      trial period</li>
+    <li>contains malicious code, such as computer viruses, computer worms, rootkits, back doors, or spyware, including
+      content submitted for research purposes (tools designed and documented explicitly to assist in security research are
+      acceptable, but exploits and malware that use the crates.io registry as a deployment or delivery vector are not)</li>
+    <li>uses obfuscation to hide or mask functionality</li>
+    <li>is discriminatory toward, harasses or abuses another individual or group</li>
+    <li>threatens or incites violence toward any individual or group, especially on the basis of who they are</li>
+    <li>is using crates.io as a platform for propagating abuse on other platforms</li>
+    <li>violates the privacy of any third party, such as by posting another person's personal information without
+      consent</li>
+    <li>gratuitously depicts or glorifies violence, including violent images</li>
+    <li>is sexually obscene or relates to sexual exploitation or abuse, including of minors (see &quot;Sexually Obscene
+      Content&quot; section below)</li>
+    <li>is off-topic, or interacts with platform features in a way that significantly or repeatedly disrupts the
+      experience of other users</li>
+    <li>exists only to reserve a name for a prolonged period of time (often called &quot;name squatting&quot;) without
+      having any genuine functionality, purpose, or significant development activity on the corresponding repository</li>
+    <li>is related to buying, selling, or otherwise trading of package names or any other names on crates.io for money or
+      other compensation</li>
+    <li>impersonates any person or entity, including through false association with crates.io, or by fraudulently
+      misrepresenting your identity or site's purpose</li>
+    <li>is related to inauthentic interactions, such as fake accounts and automated inauthentic activity</li>
+    <li>is using our servers for any form of excessive automated bulk activity, to place undue burden on our servers
+      through automated means, or to relay any form of unsolicited advertising or solicitation through our servers, such
+      as get-rich-quick schemes</li>
+    <li>is using our servers for other automated excessive bulk activity or coordinated inauthentic activity, such as</li>
+    <li>spamming</li>
+    <li>cryptocurrency mining</li>
+    <li>is not functionally compatible with the cargo build tool (for example, a &quot;package&quot; cannot simply be a
+      PNG or JPEG image, a movie file, or a text document uploaded directly to the registry)</li>
+    <li>is abusing the package index for purposes it was not intended</li>
+  </ul>
+
+  <p>You are responsible for using crates.io in compliance with all applicable laws, regulations, and all of our policies.
+    These policies may be updated from time to time. We will interpret our policies and resolve disputes in favor of
+    protecting users as a whole. The crates.io team reserves the possibility to evaluate each instance on a case-by-case
+    basis.</p>
+
+  <p>For issues such as DMCA violations, or trademark and copyright infringements, the crates.io team will respect the
+    legal decisions of the <a href='https://rustfoundation.org/'>Rust Foundation</a> as the official legal entity
+    providing the crates.io service.</p>
+
+  <h2 id='package-ownership'>Package Ownership</h2>
+
+  <p>crates.io has a first-come, first-serve policy on crate names. Upon publishing a package, the publisher will be made
+    owner of the package on crates.io.</p>
+
+  <p>If you want to take over a package, we require you to first try and contact the current owner directly. If the
+    current owner agrees, they can add you as an owner of the crate, and you can then remove them, if necessary. If the
+    current owner is not reachable or has not published any contact information the crates.io team may reach out to help
+    mediate the process of the ownership transfer.</p>
+
+  <p>Crate deletion by their owners is not possible to keep the registry as immutable as possible. If you want to flag
+    your crate as open for transferring ownership to others, you can publish a new version with a message in the README or
+    description communicating to thecrates.io support team that you consent to transfer the crate to the first person who
+    asks for it:</p>
 
   <blockquote>
     I consent to the transfer of this crate to the first person who asks
     help@crates.io for it.
   </blockquote>
 
-  <h3 id='squatting'><a href='#squatting'>Squatting</a></h3>
+  <p>The crates.io team may delete crates from the registry that do not comply with the policies on this document. In
+    larger cases of squatting attacks this may happen without prior notification to the author, but in most cases the team
+    will first give the author the chance to justify the purpose of the crate.</p>
 
-  <p>
-    We do not have any policies to define 'squatting', and so will not hand over
-    ownership of a package for that reason.
-  </p>
+  <h2 id='data-access'>Data Access</h2>
 
-  <h3 id='the-law'><a href='#the-law'>The Law</a></h3>
+  <p>Details on how to access the crates.io data can be found on the dedicated <LinkTo @route="data-access">Data Access
+    Policy</LinkTo> page.</p>
 
-  <p>
-    For issues such as DMCA violations, trademark and copyright infringement,
-    Crates.io will respect the <a href='https://foundation.rust-lang.org'>Rust Foundation</a>'s legal decisions with regards to content that
-    is hosted.
-  </p>
+  <h2 id='security'>Security</h2>
 
-  <h3 id='code-of-conduct'><a href='#code-of-conduct'>Code of Conduct</a></h3>
+  <p>Safety is one of the core principles of Rust, and to that end, we would like to ensure that cargo and crates.io have
+    secure implementations. To learn more about disclosing security vulnerabilities for these tools, please reference the
+    <a href='https://www.rust-lang.org/policies/security'>Rust Security policy</a>
+    for more details.</p>
 
-  <p>
-    The Rust project has a
-    <a href='https://www.rust-lang.org/conduct.html'>Code of Conduct</a>
-    which governs appropriate conduct for the Rust community. In
-    general, any content on Crates.io that violates the Code of Conduct may be
-    removed. Here, content can refer to but is not limited to:
-  </p>
+  <p>Note that this policy only applies to official Rust projects like crates.io and cargo, and not individual crates. The
+    crates.io team and the Security Response working group are not responsible for the disclosure of vulnerabilities to
+    specific crates, and if any issues are found, you should seek guidance from the individual crate owners and their
+    specific policies instead.</p>
 
-  <ul>
-    <li>Package Name</li>
-    <li>Package Metadata</li>
-    <li>Documentation</li>
-    <li>Code</li>
-  </ul>
+  <p>Thank you for taking the time to responsibly disclose any issues you find.</p>
 
-  <p>
-    There are two important, related aspects:
-  </p>
+  <h2 id='sexually-obscene-content'>Sexually Obscene Content</h2>
+
+  <p>We do not tolerate content associated with sexual exploitation or abuse of another individual, including where minors
+    are concerned. We do not allow sexually themed or suggestive content that serves little or no purpose other than to
+    solicit an erotic or shocking response, particularly where that content is amplified by its placement in profiles or
+    other social contexts.</p>
+
+  <p>This includes:</p>
 
   <ul>
-    <li>
-      We will not be pro-actively monitoring the site for these kinds of
-      violations, but relying on the community to draw them to our attention.
+    <li>Pornographic content</li>
+    <li>Non-consensual intimate imagery</li>
+    <li>Graphic depictions of sexual acts including photographs, video, animation, drawings, computer-generated images, or
+      text-based content
     </li>
 
-    <li>
-      “Does this violate the Code of Conduct” is a contextual question that
-      cannot be directly answered in the hypothetical sense. All of the details
-      must be taken into consideration in these kinds of situations.
-    </li>
-  </ul>
+    </ul>
+
+  <p>We recognize that not all nudity or content related to sexuality is obscene. We may allow visual and/or textual
+    depictions in artistic, educational, historical or journalistic contexts, or as it relates to victim advocacy. In some
+    cases a disclaimer can help communicate the context of the project.</p>
+
+  <h2 id='violations-and-enforcement'>Violations and Enforcement</h2>
+
+  <p>crates.io retains full discretion to take action in response to a violation of these policies, including account
+    suspension, account termination, or removal of content.</p>
+
+  <p>We will however not be proactively monitoring the site for these kinds of violations, but instead relying on the
+    community to draw them to our attention.</p>
+
+  <p>While the majority of interactions between individuals in the Rust community falls within our policies, violations of
+    those policies do occur at times. When they do, the crates.io team may need to take enforcement action to address the
+    violations. In all cases, content and account deletion is permanent and there is no basis to reverse these moderation
+    actions taken by the crates.io team. Account suspension may be lifted at the team's discretion however, for
+    example in the case of someone's account being compromised.</p>
+
+  <h2 id='credits-license'>Credits &amp; License</h2>
+
+  <p>This policy is partially based on
+    <a href='https://github.com/pypi/warehouse/blob/3c404ada9fed7a03bbf7c3c74e86c383f705d96a/policies/acceptable-use-policy.md'>
+    PyPI’s Acceptable Use Policy</a> and modified from its original form.</p>
 
-  <h2 id='security'><a href='#security'>Security</a></h2>
-
-  <p>
-    Cargo and crates.io are projects that are governed by the Rust Programming
-    Language Team. Safety is one of the core principles of Rust, and to that end,
-    we would like to ensure that cargo and crates.io have secure implementations.
-    To learn more about disclosing security vulnerabilities, please reference the
-    <a href='https://www.rust-lang.org/security.html'>Rust Security policy</a> for
-    more details.
-  </p>
-
-  <p>
-    Thank you for taking the time to responsibly disclose any issues you find.
-  </p>
-
-  <h2 id='crawlers'><a href='#crawlers'>Crawlers</a></h2>
-
-  <p>
-    Before resorting to crawling crates.io, please read
-    <LinkTo @route="data-access">Accessing the Crates.io Data</LinkTo>.
-  </p>
-
-  <p>
-    We allow our API and website to be crawled by commercial crawlers such as
-    GoogleBot. At our discretion, we may choose to allow access to experimental
-    crawlers, as long as they limit their request rate to 1 request per second or
-    less.
-  </p>
-
-  <p>
-    We also require all crawlers to provide a user-agent header that allows us to
-    uniquely identify your bot. This allows us to more accurately monitor any
-    impact your bot may have on our service. Providing a user agent that only
-    identifies your HTTP client library (such as "<code>request/0.9.1</code>") increases the
-    likelihood that we will block your traffic.
-
-    It is recommended, but not required, to include contact information in your user
-    agent. This allows us to contact you if we would like a change in your bot's
-    behavior without having to block your traffic.
-  </p>
-
-  <p>
-    Bad: "<code>User-Agent: reqwest/0.9.1</code>"<br>
-    Better: "<code>User-Agent: my_bot</code>"<br>
-    Best: "<code>User-Agent: my_bot (my_bot.com/info)</code>" or "<code>User-Agent: my_bot (help@my_bot.com)</code>"
-  </p>
-
-  <p>
-    We reserve the right to block traffic from any bot that we determine to be in
-    violation of this policy or causing an impact on the integrity of our service.
-  </p>
+  <p>Licensed under the
+    <a href='https://creativecommons.org/licenses/by/4.0/'>Creative Commons Attribution 4.0 International license</a>.</p>
 </TextContent>
\ No newline at end of file