crates.io icon indicating copy to clipboard operation
crates.io copied to clipboard
verified publisher icon rust-lang

Implement publish notifications opt-out

Open Turbo87 opened this issue 1 year ago • 9 comments

It looks like some people are rather unhappy about the new publish notifications introduced in #9341 (see https://rust-lang.zulipchat.com/#narrow/stream/318791-t-crates-io/topic/publish.20notification.20emails/near/465824072 and https://github.com/rust-lang/crates.io/issues/9355).

This PR adds a per-user settings flag to opt-out of these notifications:

Bildschirmfoto 2024-09-03 um 17 40 57

This PR is best reviewed commit by commit 😉

Resolves #9355

Turbo87 avatar Aug 29 '24 15:08 Turbo87

Codecov Report

Attention: Patch coverage is 97.72727% with 3 lines in your changes missing coverage. Please review.

Project coverage is 89.09%. Comparing base (cdb554c) to head (fc92785). Report is 37 commits behind head on main.

Files with missing lines Patch % Lines
src/controllers/user/update.rs 95.16% 3 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9359      +/-   ##
==========================================
+ Coverage   89.06%   89.09%   +0.03%     
==========================================
  Files         285      286       +1     
  Lines       28938    29032      +94     
==========================================
+ Hits        25773    25867      +94     
  Misses       3165     3165

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Aug 29 '24 16:08 codecov[bot]

I assume the email should be updated with an "Unsubscribe" link to make sure people are aware of this.

In general, I think enabled-by-default will make security worse, not better. First, the concern over the lack of an opt-out was raised about a year ago. In that discussion, I called out the security risks of spamming people with this. Even when "unsubscribe" links are provided, it seems users are more inclined to click the "spam" button than to unsubscribe. Email providers seem to cross-pollinate that information between accounts and start treating it as spam even if you never said it was. This means one user not wanting email notifications can effectively opt-out other users from getting these emails! A user who wants the emails is trusting in the system to receive them and think everything is ok because they haven't received one. It can be easy to overlook the lack of emails being sent when you do your own publishes, if you are in that scenario.

epage avatar Sep 03 '24 16:09 epage

I'd recommend considering the rollup feature requested in #9355 as well, as the confirmation is nice and can help catch something like a leaked publish token. It's just the number of emails that's kind of the issue.

abonander avatar Sep 03 '24 22:09 abonander

Without diminishing the pain this is causing. Why has this been such a large issue in our community when many other ecosystems do not provide an opt out? pypi, npn, and others do not have an opt out. what is different about the implementation or the community to cause the disparate impact?

A user who wants the emails is trusting in the system to receive them and think everything is ok because they haven't received one.

A non-distributed version of this problem is also a problem if we provide an opt out. An attacker can opt out then publish then opt back in so that the website still says your opted in but you never got the email for the publish.

Eh2406 avatar Sep 04 '24 16:09 Eh2406

pypi, npn, and others do not have an opt out. what is different about the implementation or the community to cause the disparate impact?

As I brought up on zulip, I have no idea what policy PyPI uses but I've never received a notification for a publish to PyPI. I am a sole owner on a couple of packages and published one this morning.

We also shouldn't blindly copy from other ecosystems but see what lessons we can learn from them and adapt accordingly.

epage avatar Sep 04 '24 17:09 epage

Without diminishing the pain this is causing. Why has this been such a large issue in our community when many other ecosystems do not provide an opt out? pypi, npn, and others do not have an opt out. what is different about the implementation or the community to cause the disparate impact?

At least what makes me really want this feature is the "owner accounts" pattern that is popular in crates from large organizations. For example, I receive notifications from @rust-lang-owner, and that means every monday I get ~35 emails about rust-analyzer being published, or ~10 emails when cargo gets published after a new release, and random emails whenever a CI workflow somewhere in the rust-lang org publishes a crate.

Those emails are pure noise, because I am not involved in any way about those crate publishes, and I can't verify whether those were intentional or not.

A non-distributed version of this problem is also a problem if we provide an opt out. An attacker can opt out then publish then opt back in so that the website still says your opted in but you never got the email for the publish.

We can have the website send an email whenever notifications are disabled and enabled, to ensure there are at least some mails receive. We can make that "notifications disabled" email as scary as it needs to be.

pietroalbini avatar Sep 06 '24 08:09 pietroalbini

why don't these notifications at least come in digest format? seeing 1 publish notif in a day would be "okay, good to know", seeing 10 is like... why.

the same line of "Successfully published" over and over again

workingjubilee avatar Sep 06 '24 20:09 workingjubilee

oh, we're calling a digest format a "rollup" today, got it. sorry, didn't quite parse out things on the first pass.

workingjubilee avatar Sep 06 '24 20:09 workingjubilee

@rust-lang/crates-io this still needs a review... 😉

Turbo87 avatar Sep 11 '24 11:09 Turbo87