// lists.debian.org does not like my mailserver's aggressive DMARC // configuration. Some might be receiving this thread without the first // email. Sorry for the nuisance.
Hello Andy, thanks for the response. > You may be better off addressing your concern to the debian-project > mailing list, pr possibly debian-www. > > https://lists.debian.org/debian-project/ > https://lists.debian.org/debian-www/ This appears to be what I needed 👍️. > Having said that, I can't replicate what you're talking about. When I > visit https://packages.debian.org/ in Firefox and Chromium I don't > experience any problems. I do have JavaScript enabled. Are you disabling > that? Are you seeing a captcha or is it something else? Yes, I am disabling JS and the website says "Please enable JavaScript to proceed." then. Nonetheless, _fingerprinting_ performed by the JS is the main issue I'd like to talk about. For a reason: these days complaints about the JS as such are uneffective. Tracking, however, *might* be looked at more seriously. I additionally mentioned JS towards the end because it it felt wrong to be completely silent about it (and because I suspect computer literate people dwell on this mailing list and they can understand this thing). > I do know that on the bug tracker web interface Debian is using a > different form of anti-bot software: Haphash. That won't work without > JS enabled. I've seen that other parts of Debian's infrastructure use other bot-blocker(s). I had not investigated them when starting this thread. I am looking at haphash now — it seems fair compared to Fastly. No superfluous browser details get collected. > As regards justification though, again I'm not speaking on behalf of > Debian but I would just note that volunteer efforts don't really need to > justify anything. Oh, I meant that my email itself to be a justification for my request and for my complaint. I did not mean to request a justification from someone. > I was researching anti-bot mechanisms myself recently, as some of my > sites are experiencing scraper bot problems. The most popular one seems > to be Anubis and that's a JS_based challenge. Indeed. Well, it supports several kinds of challenges, including JS-free ones — yet, the most popular ones are, as you've witnessed, the JS-based ones. There are many, many more similar tools. And in some sense all that use Proof-of-Work challenges are unnecessary. Even a joke as at [1] stops the bots. Webmasters, however, seem to prefer blockers that don't require the user to click / type anything. Hence the popularity of Anubis, iocaine, etc. [1] https://git.koszko.org/stop-crawlers?then=simple-browser-extension%2Flog%2F Best! Wojtek PS. I am not subscribed to debian-user@. Please Cc [email protected]. Thanks! -- W. Kosior website: https://koszko.org/koszko.html fediverse: https://friendica.me/profile/koszko/profile PGP fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A On Wed, 15 Apr 2026 14:59:41 +0000 Andy Smith <[email protected]> wrote: > Hi, > > On Wed, Apr 15, 2026 at 04:01:20PM +0200, W. Kosior wrote: > > I became extremely concerned when I noticed that > > https://packages.debian.org now includes a bot blocker from Fastly. > > This email is (1) a complaint, (2) a request to the community to come up > > with something that treats users better, and (3) a justification for > > (1) and (2). > > You've sent your mail to debian-user, a group of users of Debian like > you. We don't have any authority or ability to speak for the Debian > project nor to effect change in the Debian project's web sites. You may > be better off addressing your concern to the debian-project mailing > list, pr possibly debian-www. > > https://lists.debian.org/debian-project/ > https://lists.debian.org/debian-www/ > > So as regards (1) and (3) we're not the right place. > > Having said that, I can't replicate what you're talking about. When I > visit https://packages.debian.org/ in Firefox and Chromium I don't > experience any problems. I do have JavaScript enabled. Are you disabling > that? Are you seeing a captcha or is it something else? > > I do know that on the bug tracker web interface Debian is using a > different form of anti-bot software: Haphash. That won't work without > JS enabled. > > As regards justification though, again I'm not speaking on behalf of > Debian but I would just note that volunteer efforts don't really need to > justify anything. We're all just trying to get by. When you do contact > Debian I would just stick to describing what doesn't work for you and > asking if it can be done better. > > Personally I was a bit dismayed to see things requiring JS put in front > of Debian sites, even though I do routinely allow JS myself. But if > that's what was deemed necessary, so be it. > > I don't know what the case is with what you're seeing because I don't > experience it. > > I was researching anti-bot mechanisms myself recently, as some of my > sites are experiencing scraper bot problems. The most popular one seems > to be Anubis and that's a JS_based challenge. As is Haphas, as already > mentioned. I also found iocaine: > > https://iocaine.madhouse-project.org/ > > That one doesn't seem to do a JS challenge, but it seemed quite complex > and strange to me. Especially when I started to read that its author's > own configuration was a whole other thing called Nam-Shub of Enki. > > https://3.nam-shub-of-enki.iocaine.madhouse-project.org/index.html > > The style is a bit impenetrable for me. I'll have to research more. > > Thanks, > Andy >
pgpVgosNfhzkp.pgp
Description: OpenPGP digital signature

