crates.io icon indicating copy to clipboard operation
crates.io copied to clipboard
verified publisher icon rust-lang

Publish email notification can not be turned off, and are not rolled up

Open lucacasonato opened this issue 1 year ago • 1 comments

Hey folks - I'm one of the maintainers of Deno. On every release, we release ~25 different crates. In a week, we publish anywhere from 25-100 new crate versions.

The new publish email notifiations are unfortunately very disruptive to my email inbox. During a release, 25 seperate 1 paragraph emails are sent to all owners of the deno_* crates.

I understand this is a security feature designed to ensure a publish can not happen without an owner noticing. However because of the sheer volume of emails, every owner will now have to set up an email filter that directs these notifications directly into the trash - that is quite unfortunate because it is a lot of effort for everyone to do, and completely negates the security purpose of this feature.

I think it would be a lot more useful if:

a) users had control over whether they want to get these emails or not (for example teams that have a bot account as an owner could receive all emails into a shared inbox rather than personal emails, so individual users could turn this off in crates.io, at the source)

b) notification emails were rolled up when many publishes occur in a short timeframe. if we got 1 email for every release, that said "25 crates successfully published" and listed the crate names and versions, this would be a useful feature.

I hope this doesn't come across too negative - I'm really glad you all are working on crates.io! The current iteration of this feature is just very very prone to alert fatigue, which is something that we should really try to avoid, especially for security related features.

lucacasonato avatar Aug 28 '24 21:08 lucacasonato

Just ran into this. I can definitely see the use for it, especially if a publication wasn't intended (accidental, or leaked publish token or some sort of breach in a CI-based process), but it is rather off-putting to get so many emails in a short time:

image

This can't help with hosting costs, either, as most email providers generally charge per-email (or with tiered pricing per some number of emails). And I'd be worried about it getting caught in spam filters, which helps no one.

abonander avatar Sep 03 '24 22:09 abonander