> Nothing (reasonable) can protect against direct lightning strikes
Belkin make a number of surge protectors which offer a connected equipment warranty in the UK. Admittedly: financial protection, not data protection, but I felt it was worthwhile for the peace of mind.
Have they ever paid out on one of those, or is it like CAs who offer liability protection for their certificates carefully set up in such a way that they never have to pay out.
In the past week (besides the constant slop), there are models which have misattributed the copyright of new files to me, and stripped my copyright from existing files. It's sapping up time, energy and motivation.
> when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts.
This isn't my experience. I requested that you looked into a spammer in July 2025, you ignored my reply and the account is still active.
----
Thank you so much for the report. We're sorry to hear you're receiving unwanted emails, but it's always a possibility when your public contact information is listed on the web. You can keep your email address private if you wish by following the steps here:
Setting your commit email address
We do expect our users to comply with our Terms of Service, which prohibits transmitting using information from the GitHub (whether scraped, collected through our API, or obtained otherwise) for spamming purposes. I'm happy to look into it further to see if we can contact the reported user and let them know that this type of activity is not allowed.
Please let us know if you have any other questions or concerns.
----
My reply which was ignored:
----
I understand it will happen from time to time. I'd rather be contactable (I've received legitimate emails today because my email is on my profile).
Please take further action. My email is public with the expectation that the ToS will be enforced. If GitHub isn't discouraging spammers then it makes it much harder to justify being contactable.
I reported spammers ~5 times to GH, and every time the account went down in a couple of hours. Obviously mileage may vary, but I don't want the whole HN to think this process is completely broken.
I did report email spam to GH, and both got reply for them and seen their page go 404.
It was years ago though. Since I've enabled "hide my email" setting, and set that GH-generated email to my git config, "try my project" spam ceased to be an issue.
It's impossible for them to stop if you list your email on there. They could make it harder of course. But if you put your email out there for a human to find, then a script or bot or also find it.
And yes of course they can also stop a specific spammer. But that spammer may pick up another account and email.
The grandparent post wasn't asking for them to do the impossible and stop all spamming, only to take action against the particular user that spammed them.
>> it's always a possibility when your public contact information is listed on the web
Sounds correct to me
> Please take further action. My email is public with the expectation that the ToS will be enforced.
What magic wand are you expecting they wave that distinguishes people who need your email address for legitimate from those who need it for illicit purposes? Why wouldn't we apply the same to the entire population and lock up criminals before they've committed crimes?
What you're asking is entirely impossible short of mandatory mind reading
I provided a spam email chain from a user with a linked GitHub profile, stating that they obtained my email from my GitHub profile.
GP [martinwoodward] states:
> This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts.
But action was not taken, there was no reply to my email to GitHub support.
Yeah they likely rarely if ever "look into" it and certainly nobody has ever needed a lawyer over this.
As recently as a year or so ago, at least, you could list repo stargazers through their graphQL API and get a TON of email off that depending on the user settings.
That's not the way the world works. I'm not in it for the money.
In the past 12 months, I've made £65.79 from GitHub Sponsors (no fees, thank you GitHub/Microsoft) and $87.89 from Patreon (pre-fees, I'll probably see ~$50), and a split of the Open Collective [below]
I see. I am not claiming, that it is your job to fix that.
On that page though, the same issues are present. The pip install does not make use of any lock file.
pip install anki
Isn't a command we should be seeing in 2026. Unless it is a one-off experiment setup. There should be proper lock files, not just version numbers, especially in the Python and JS ecosystems this has become less and less acceptable.
Leaks username and password to shell command history. Again, can be fine for a one-off quick hack, but is not a great practice, since the shell command history is not the most secure place to store ones credentials in. This could be easily mitigated by adding leading " " (space), at least in environments I am familiar with, but better would probably be putting the credentials in a config file, so that they never hit the shell command history.
The repo already has a lock file for uv. It would be better to make use of that lock file, when using Python to install. And in fact, when one downloads a release of Anki for desktop and runs it the first time, it does make use of uv, creating a venv, and (unconfirmed) hopefully makes use of the uv lock file.
I see these kinds of issues very frequently in Python projects. As someone, who has previously worked on providing docker images for data science workflows, enabling reproducible research, I am quite sensitive to this. But also I hear from friends, that they are traumatized by Python projects installing things in system python and other shenanigans. In general there seem to be tons of people doing Python projects, who don't have a clear idea of how to make things safe and reproducible, which is giving Python projects in general a bad reputation. All while good solutions to these problems exist and existed for years.
In fairness, Python as an ecosystem doesn't make it clear, either. I used to write a ton of Python back in the v2 days. I came back to Python to write a web crawler in summer 2025 and couldn't believe how it was still a bunch of arcane commands to create a virtual environment and install dependencies and capture the dependencies. Yes, an IDE like Pycharm handles this (thank goodness), but jiminy crickets, why doesn't "pip" refuse to even work until you've done "pip init" which generates a requirements.txt and then every pip install should check for a requirements.txt in the PWD. If it doesn't exist, refuse to install the dep. If the file does exist, append the version of the dep to that file.
It's 2026. Even JavaScript can do this.
pip is the de facto manager for the entire language. It should be better. With Node Package Manager for JS, the installation default is at the project level. You have to do a command line override to install globally.
PIP is the opposite. In fact, the only way to install at the project level is to create a virtual environment and trick PIP into thinking it's installing at the global level!
What language operates like this in 2026? Maven installs at the project level. Unison at the project level. Haskell at the project level. JS/TS at the project level.
Belkin make a number of surge protectors which offer a connected equipment warranty in the UK. Admittedly: financial protection, not data protection, but I felt it was worthwhile for the peace of mind.
https://www.belkin.com/id/p/6-outlet-surge-protection-strip-...
reply