Captcha for hackage account registration

[gbaz]

The reg page is getting hit with bots (they're not confirming the account, but it is placing load we don't want on our mailing system). We should add a simple captcha.

[AliasQli]

Which captcha service should we use? Google's recaptcha, or write our own? Would it have to do with stuff such as API key?

[gbaz]

Not sure. Whatever is easiest! I think we don't need to defeat sophisticated bots at the moment -- just have some guard. If it is easy to integrate with recaptcha what I would do is design it so that if a key is present (perhaps in a file in the data dir) then the captcha is used, otherwise not. That way we can turn it on optionally.

If recaptcha is a pain to integrate with or drags in deps, etc, then we could try to use e.g. https://hackage.haskell.org/package/hs-captcha although either it or its dependency gd or both may have bitrotted a little need some updating.

Honestly given the level of screening we probably need to deter this, something simpler still might work -- I think the bots hitting us are just sort of dropping emails and text in any form that looks remotely plausible, and there's no incentive to tune them if we change up our server in any way to deter them.