NuGetGallery icon indicating copy to clipboard operation
NuGetGallery copied to clipboard
verified publisher icon NuGet

[Feature]: Add More Granular Abuse Report Categories for NuGet Packages

Open JonDouglas opened this issue 1 year ago • 2 comments

Related Problem

No response

The Elevator Pitch

Context

During a discussion with Microsoft Legal, we explored the idea of NuGet adopting a more transparent DMCA takedown process similar to GitHub's (GitHub DMCA repository). This would allow NuGet to provide greater visibility into DMCA complaints and improve transparency within the .NET OSS ecosystem.

Proposal

In addition to implementing a transparent DMCA process, it would be beneficial to improve the granularity of abuse reporting categories for NuGet packages. The current reporting categories, such as those shown in NuGet's reporting system (e.g., copyright infringement, malicious code, hate speech), are broad but could benefit from additional specificity to address issues commonly faced by the community when they don't "trust" a package.

Suggested Report Categories:

To further support transparency and trust within the ecosystem, consider adding additional categories like:

  • Impersonation or misleading information – For packages that mislead users about their origin or author.
  • Dependency hijacking/typosquatting – For packages mimicking trusted libraries to exploit users.
  • License violations – For misuse of open-source licenses.
  • Abandonware/Outdated package – For packages that have been abandoned by the maintainer and could pose trust or functionality issues.

Benefits

By expanding these categories and adopting a transparent DMCA reporting process, NuGet can better support users in maintaining trust within the ecosystem. The additional abuse categories would allow users to more accurately describe their concerns and help the platform address issues more effectively, enhancing overall package reliability and security.

One such thought is enough reports by the community for impersonation, hijacking, license violations, etc would have NuGet being able to take more proactive action while DMCA processes are figured out in parallel due to community concern and NuGet's current ToS.

Additional Context and Details

No response

JonDouglas avatar Oct 20 '24 14:10 JonDouglas

^ @drewgillies

erdembayar avatar Oct 22 '24 17:10 erdembayar

@erdembayar I've removed the customer issue label as we don't wish to track this as an issue raised by a customer. We can discuss if necessary.

drewgillies avatar Oct 29 '24 04:10 drewgillies