// lists.debian.org does not like my mailserver's aggressive DMARC
// configuration.  Some might be receiving this thread without the first
// email.  Sorry for the nuisance.

Hello Andy,

thanks for the response.

> You may be better off addressing your concern to the debian-project
> mailing list, pr possibly debian-www.
> 
>     https://lists.debian.org/debian-project/
>     https://lists.debian.org/debian-www/

This appears to be what I needed 👍️.

> Having said that, I can't replicate what you're talking about. When I
> visit https://packages.debian.org/ in Firefox and Chromium I don't
> experience any problems. I do have JavaScript enabled. Are you disabling
> that? Are you seeing a captcha or is it something else?

Yes, I am disabling JS and the website says "Please enable JavaScript
to proceed." then.

Nonetheless, _fingerprinting_ performed by the JS is the main issue I'd
like to talk about.  For a reason: these days complaints about the JS
as such are uneffective.  Tracking, however, *might* be looked at more
seriously.  I additionally mentioned JS towards the end because it it
felt wrong to be completely silent about it (and because I suspect
computer literate people dwell on this mailing list and they can
understand this thing).

> I do know that on the bug tracker web interface Debian is using a
> different form of anti-bot software: Haphash. That won't work without
> JS enabled.

I've seen that other parts of Debian's infrastructure use other
bot-blocker(s).  I had not investigated them when starting this thread.
I am looking at haphash now — it seems fair compared to Fastly.  No
superfluous browser details get collected.

> As regards justification though, again I'm not speaking on behalf of
> Debian but I would just note that volunteer efforts don't really need to
> justify anything.

Oh, I meant that my email itself to be a justification for my request
and for my complaint.  I did not mean to request a justification from
someone.

> I was researching anti-bot mechanisms myself recently, as some of my
> sites are experiencing scraper bot problems. The most popular one seems
> to be Anubis and that's a JS_based challenge.

Indeed.  Well, it supports several kinds of challenges, including
JS-free ones — yet, the most popular ones are, as you've witnessed, the
JS-based ones.

There are many, many more similar tools.  And in some sense all that use
Proof-of-Work challenges are unnecessary.  Even a joke as at [1] stops
the bots.  Webmasters, however, seem to prefer blockers that don't
require the user to click / type anything.  Hence the popularity of
Anubis, iocaine, etc.

[1] https://git.koszko.org/stop-crawlers?then=simple-browser-extension%2Flog%2F

Best!
Wojtek

PS. I am not subscribed to debian-user@.  Please Cc [email protected].
    Thanks!

--
W. Kosior

website: https://koszko.org/koszko.html
fediverse: https://friendica.me/profile/koszko/profile
PGP fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 FD1A


On Wed, 15 Apr 2026 14:59:41 +0000
Andy Smith <[email protected]> wrote:

> Hi,
> 
> On Wed, Apr 15, 2026 at 04:01:20PM +0200, W. Kosior wrote:
> > I became extremely concerned when I noticed that
> > https://packages.debian.org now includes a bot blocker from Fastly.
> > This email is (1) a complaint, (2) a request to the community to come up
> > with something that treats users better, and (3) a justification for
> > (1) and (2).  
> 
> You've sent your mail to debian-user, a group of users of Debian like
> you. We don't have any authority or ability to speak for the Debian
> project nor to effect change in the Debian project's web sites. You may
> be better off addressing your concern to the debian-project mailing
> list, pr possibly debian-www.
> 
>     https://lists.debian.org/debian-project/
>     https://lists.debian.org/debian-www/
> 
> So as regards (1) and (3) we're not the right place.
> 
> Having said that, I can't replicate what you're talking about. When I
> visit https://packages.debian.org/ in Firefox and Chromium I don't
> experience any problems. I do have JavaScript enabled. Are you disabling
> that? Are you seeing a captcha or is it something else?
> 
> I do know that on the bug tracker web interface Debian is using a
> different form of anti-bot software: Haphash. That won't work without
> JS enabled.
> 
> As regards justification though, again I'm not speaking on behalf of
> Debian but I would just note that volunteer efforts don't really need to
> justify anything. We're all just trying to get by. When you do contact
> Debian I would just stick to describing what doesn't work for you and
> asking if it can be done better.
> 
> Personally I was a bit dismayed to see things requiring JS put in front
> of Debian sites, even though I do routinely allow JS myself. But if
> that's what was deemed necessary, so be it.
> 
> I don't know what the case is with what you're seeing because I don't
> experience it.
> 
> I was researching anti-bot mechanisms myself recently, as some of my
> sites are experiencing scraper bot problems. The most popular one seems
> to be Anubis and that's a JS_based challenge. As is Haphas, as already
> mentioned. I also found iocaine:
> 
>     https://iocaine.madhouse-project.org/
> 
> That one doesn't seem to do a JS challenge, but it seemed quite complex
> and strange to me. Especially when I started to read that its author's
> own configuration was a whole other thing called Nam-Shub of Enki.
> 
>     https://3.nam-shub-of-enki.iocaine.madhouse-project.org/index.html
> 
> The style is a bit impenetrable for me. I'll have to research more.
> 
> Thanks,
> Andy
> 


Attachment: pgpVgosNfhzkp.pgp
Description: OpenPGP digital signature

Reply via email to