Hello Debian,
I am an occasional user of this operating system. I used to rely on https://packages.debian.org for quickly checking the details of certain packages. I consider these pages especially useful when one must check something while on a different distro.
I became extremely concerned when I noticed that
https://packages.debian.org now includes a bot blocker from Fastly.
This email is (1) a complaint, (2) a request to the community to come up
with something that treats users better, and (3) a justification for
(1) and (2).
Sure, bot blockers have become a necessity. Almost every website needs
them to remain functional. I have a kind of bot blocker on my private
one as well.
The problem lies with how a bot blocker operates. Fastly's one on
Debian's website does unfair things that other popular bot blockers
don't. It reports
- browser window size,
- document viewport size, and
- and a lot of other values that can be used for browser fingerprinting
to the server.
It is a well known fact that bad websites out there track visitors.
But a free software OS community "should know better". I therefore
request replacing Fastly with a different bot prevention tool that
does not fingerprint users (nor needlessly collects data that *could*
be used for fingerprinting).
It's worth mentioning that other commonly used anti-scrapers are able to
do their job without the need to collect such browser details. The
best-known of them is Anubis (used, e.g., on kernel.org,
elixir.bootlin.com, and koji.fedoraproject.org). But there's no need
to recommend this particular one: others are just as good or even
better. Not to mention that one could think a recognizable free
software OS distro with history would allow fellow hackers to browse
its website with JS disabled :/
If there's a better place for this topic than this mailing list, I'll
be grateful to someone who tells me where it is.
Best
Wojtek
PS. I am not subscribed to debian-user@, please Cc koszko@koszko.org
in your reply.
--
W. Kosior
website: https://koszko.org/koszko.html
fediverse: https://friendica.me/profile/koszko/profile
PGP fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A


--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi,

On Wed, Apr 15, 2026 at 04:01:20PM +0200, W. Kosior wrote:

I became extremely concerned when I noticed that
https://packages.debian.org now includes a bot blocker from Fastly.
This email is (1) a complaint, (2) a request to the community to come up
with something that treats users better, and (3) a justification for
(1) and (2).

You've sent your mail to debian-user, a group of users of Debian like
you. We don't have any authority or ability to speak for the Debian
project nor to effect change in the Debian project's web sites. You may
be better off addressing your concern to the debian-project mailing
list, pr possibly debian-www.

https://lists.debian.org/debian-project/
https://lists.debian.org/debian-www/

So as regards (1) and (3) we're not the right place.

Having said that, I can't replicate what you're talking about. When I
visit https://packages.debian.org/ in Firefox and Chromium I don't
experience any problems. I do have JavaScript enabled. Are you disabling
that? Are you seeing a captcha or is it something else?

I do know that on the bug tracker web interface Debian is using a
different form of anti-bot software: Haphash. That won't work without
JS enabled.

As regards justification though, again I'm not speaking on behalf of
Debian but I would just note that volunteer efforts don't really need to justify anything. We're all just trying to get by. When you do contact
Debian I would just stick to describing what doesn't work for you and
asking if it can be done better.

Personally I was a bit dismayed to see things requiring JS put in front
of Debian sites, even though I do routinely allow JS myself. But if
that's what was deemed necessary, so be it.

I don't know what the case is with what you're seeing because I don't experience it.

I was researching anti-bot mechanisms myself recently, as some of my
sites are experiencing scraper bot problems. The most popular one seems
to be Anubis and that's a JS_based challenge. As is Haphas, as already mentioned. I also found iocaine:

https://iocaine.madhouse-project.org/

That one doesn't seem to do a JS challenge, but it seemed quite complex
and strange to me. Especially when I started to read that its author's
own configuration was a whole other thing called Nam-Shub of Enki.

https://3.nam-shub-of-enki.iocaine.madhouse-project.org/index.html

The style is a bit impenetrable for me. I'll have to research more.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

// lists.debian.org does not like my mailserver's aggressive DMARC
// configuration. Some might be receiving this thread without the first
// email. Sorry for the nuisance.
Hello Andy,
thanks for the response.

You may be better off addressing your concern to the debian-project
mailing list, pr possibly debian-www.

https://lists.debian.org/debian-project/
https://lists.debian.org/debian-www/

This appears to be what I needed ??.

Having said that, I can't replicate what you're talking about. When I
visit https://packages.debian.org/ in Firefox and Chromium I don't
experience any problems. I do have JavaScript enabled. Are you disabling that? Are you seeing a captcha or is it something else?

Yes, I am disabling JS and the website says "Please enable JavaScript
to proceed." then.
Nonetheless, _fingerprinting_ performed by the JS is the main issue I'd
like to talk about. For a reason: these days complaints about the JS
as such are uneffective. Tracking, however, *might* be looked at more seriously. I additionally mentioned JS towards the end because it it
felt wrong to be completely silent about it (and because I suspect
computer literate people dwell on this mailing list and they can
understand this thing).

I do know that on the bug tracker web interface Debian is using a
different form of anti-bot software: Haphash. That won't work without
JS enabled.

I've seen that other parts of Debian's infrastructure use other
bot-blocker(s). I had not investigated them when starting this thread.
I am looking at haphash now ? it seems fair compared to Fastly. No
superfluous browser details get collected.

As regards justification though, again I'm not speaking on behalf of
Debian but I would just note that volunteer efforts don't really need to justify anything.

Oh, I meant that my email itself to be a justification for my request
and for my complaint. I did not mean to request a justification from
someone.

I was researching anti-bot mechanisms myself recently, as some of my
sites are experiencing scraper bot problems. The most popular one seems
to be Anubis and that's a JS_based challenge.

Indeed. Well, it supports several kinds of challenges, including
JS-free ones ? yet, the most popular ones are, as you've witnessed, the JS-based ones.
There are many, many more similar tools. And in some sense all that use Proof-of-Work challenges are unnecessary. Even a joke as at [1] stops
the bots. Webmasters, however, seem to prefer blockers that don't
require the user to click / type anything. Hence the popularity of
Anubis, iocaine, etc.
[1] https://git.koszko.org/stop-crawlers?then=simple-browser-extension%2Flog%2F Best!
Wojtek
PS. I am not subscribed to debian-user@. Please Cc koszko@koszko.org.
Thanks!
--
W. Kosior
website: https://koszko.org/koszko.html
fediverse: https://friendica.me/profile/koszko/profile
PGP fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A

On Wed, 15 Apr 2026 14:59:41 +0000
Andy Smith <andy@strugglers.net> wrote:

Hi,

On Wed, Apr 15, 2026 at 04:01:20PM +0200, W. Kosior wrote:

I became extremely concerned when I noticed that https://packages.debian.org now includes a bot blocker from Fastly.
This email is (1) a complaint, (2) a request to the community to come up with something that treats users better, and (3) a justification for
(1) and (2).

You've sent your mail to debian-user, a group of users of Debian like
you. We don't have any authority or ability to speak for the Debian
project nor to effect change in the Debian project's web sites. You may
be better off addressing your concern to the debian-project mailing
list, pr possibly debian-www.

https://lists.debian.org/debian-project/
https://lists.debian.org/debian-www/

So as regards (1) and (3) we're not the right place.

Having said that, I can't replicate what you're talking about. When I
visit https://packages.debian.org/ in Firefox and Chromium I don't
experience any problems. I do have JavaScript enabled. Are you disabling that? Are you seeing a captcha or is it something else?

I do know that on the bug tracker web interface Debian is using a
different form of anti-bot software: Haphash. That won't work without
JS enabled.

As regards justification though, again I'm not speaking on behalf of
Debian but I would just note that volunteer efforts don't really need to justify anything. We're all just trying to get by. When you do contact
Debian I would just stick to describing what doesn't work for you and
asking if it can be done better.

Personally I was a bit dismayed to see things requiring JS put in front
of Debian sites, even though I do routinely allow JS myself. But if
that's what was deemed necessary, so be it.

I don't know what the case is with what you're seeing because I don't experience it.

I was researching anti-bot mechanisms myself recently, as some of my
sites are experiencing scraper bot problems. The most popular one seems
to be Anubis and that's a JS_based challenge. As is Haphas, as already mentioned. I also found iocaine:

https://iocaine.madhouse-project.org/

That one doesn't seem to do a JS challenge, but it seemed quite complex
and strange to me. Especially when I started to read that its author's
own configuration was a whole other thing called Nam-Shub of Enki.

https://3.nam-shub-of-enki.iocaine.madhouse-project.org/index.html

The style is a bit impenetrable for me. I'll have to research more.

Thanks,
Andy

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, Apr 15, 2026 at 07:10:04PM +0200, W. Kosior wrote:
[...]

Yes, I am disabling JS and the website says "Please enable JavaScript
to proceed." then.

I share your feeling. Actually, I avoid JS-only websites unless I
really, really need them.
[...]

[1] https://git.koszko.org/stop-crawlers?then=simple-browser-extension%2Flog%2F

Thanks for the pointer! I'm myself interested in such solutions/ideas.
Cheers
--
tom s


--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Thu, 16 Apr 2026 08:42:45 +0200
<tomas@tuxteam.de> wrote:

On Wed, Apr 15, 2026 at 07:10:04PM +0200, W. Kosior wrote:

[...]

Yes, I am disabling JS and the website says "Please enable
JavaScript to proceed." then.

I share your feeling. Actually, I avoid JS-only websites unless I
really, really need them.

And the problem is that they nearly all do. Even Debian now...

--
Joe

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Thu, Apr 16, 2026 at 08:40:19AM +0100, Joe wrote:

On Thu, 16 Apr 2026 08:42:45 +0200
<tomas@tuxteam.de> wrote:

On Wed, Apr 15, 2026 at 07:10:04PM +0200, W. Kosior wrote:

[...]

Yes, I am disabling JS and the website says "Please enable
JavaScript to proceed." then.

I share your feeling. Actually, I avoid JS-only websites unless I
really, really need them.

And the problem is that they nearly all do. Even Debian now...

Not the ones I care about, yet. So it makes sense to keep up
pressure.
Cheers
--
t


--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, Apr 15, 2026 at 02:59:41PM +0000, Andy Smith wrote:

On Wed, Apr 15, 2026 at 04:01:20PM +0200, W. Kosior wrote:

I became extremely concerned when I noticed that https://packages.debian.org now includes a bot blocker from Fastly.
This email is (1) a complaint, (2) a request to the community to come up with something that treats users better, and (3) a justification for
(1) and (2).

You've sent your mail to debian-user, a group of users of Debian like
you. We don't have any authority or ability to speak for the Debian
project nor to effect change in the Debian project's web sites. You may
be better off addressing your concern to the debian-project mailing
list, pr possibly debian-www.

https://lists.debian.org/debian-project/
https://lists.debian.org/debian-www/

I see there is a bug filed today about how even RSS feeds from packages.debian.org are being given a JS challenge, which obviously
breaks feed readers,

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134165

(JS also needed to view that URL.)

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)