request to remove the numpy-aarch64 package from PyPI
![](https://secure.gravatar.com/avatar/5f88830d19f9c83e2ddfd913496c5025.jpg?s=120&d=mm&r=g)
Hi all, FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1. There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know. Cheers, Ralf
![](https://secure.gravatar.com/avatar/d9ac9213ada4a807322f99081296784b.jpg?s=120&d=mm&r=g)
On Sun, Jun 13, 2021, at 18:21, Charles R Harris wrote:
Maybe now is a good time to move to accept: https://numpy.org/neps/nep-0036-fair-play.html Stéfan
![](https://secure.gravatar.com/avatar/72f994ca072df3a3d2c3db8a137790fd.jpg?s=120&d=mm&r=g)
On 14/6/21 11:03 pm, Stefan van der Walt wrote:
Having just re-read the NEP, I think the Motivation section should mention name re-use: "Additionally, we wish to reduce confusion when package names imply they are sanctioned or maintained by NumPy". Other than that it looks good to me. Do you want to make a PR to add the discussion and change the status, and notify the list of your intention to accept it? Matti
![](https://secure.gravatar.com/avatar/d9ac9213ada4a807322f99081296784b.jpg?s=120&d=mm&r=g)
On Tue, Jun 15, 2021, at 00:38, Matti Picus wrote:
Thanks, Matti. I've made the change suggested and updated the status here: https://github.com/numpy/numpy/pull/19284 Stéfan
![](https://secure.gravatar.com/avatar/5f88830d19f9c83e2ddfd913496c5025.jpg?s=120&d=mm&r=g)
On Mon, Jun 14, 2021 at 3:22 AM Charles R Harris <charlesr.harris@gmail.com> wrote:
Hard to know whether it was malicious or not. I finally filed a PyPI issue to hand over the package to me so I can delete the wheel and replace the README: https://github.com/pypa/pypi-support/issues/1635 Cheers, Ralf
![](https://secure.gravatar.com/avatar/0b2c27afda735efd834586f95f07f838.jpg?s=120&d=mm&r=g)
Here's a story about how malicious pypi packages help break into corporate networks. It is not necessarily the goal this particular person was aiming for. Just a side note. "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Best regards, Lev On Sun, Jan 30, 2022 at 6:48 PM Ralf Gommers <ralf.gommers@gmail.com> wrote:
![](https://secure.gravatar.com/avatar/d9ac9213ada4a807322f99081296784b.jpg?s=120&d=mm&r=g)
On Sun, Jun 13, 2021, at 18:21, Charles R Harris wrote:
Maybe now is a good time to move to accept: https://numpy.org/neps/nep-0036-fair-play.html Stéfan
![](https://secure.gravatar.com/avatar/72f994ca072df3a3d2c3db8a137790fd.jpg?s=120&d=mm&r=g)
On 14/6/21 11:03 pm, Stefan van der Walt wrote:
Having just re-read the NEP, I think the Motivation section should mention name re-use: "Additionally, we wish to reduce confusion when package names imply they are sanctioned or maintained by NumPy". Other than that it looks good to me. Do you want to make a PR to add the discussion and change the status, and notify the list of your intention to accept it? Matti
![](https://secure.gravatar.com/avatar/d9ac9213ada4a807322f99081296784b.jpg?s=120&d=mm&r=g)
On Tue, Jun 15, 2021, at 00:38, Matti Picus wrote:
Thanks, Matti. I've made the change suggested and updated the status here: https://github.com/numpy/numpy/pull/19284 Stéfan
![](https://secure.gravatar.com/avatar/5f88830d19f9c83e2ddfd913496c5025.jpg?s=120&d=mm&r=g)
On Mon, Jun 14, 2021 at 3:22 AM Charles R Harris <charlesr.harris@gmail.com> wrote:
Hard to know whether it was malicious or not. I finally filed a PyPI issue to hand over the package to me so I can delete the wheel and replace the README: https://github.com/pypa/pypi-support/issues/1635 Cheers, Ralf
![](https://secure.gravatar.com/avatar/0b2c27afda735efd834586f95f07f838.jpg?s=120&d=mm&r=g)
Here's a story about how malicious pypi packages help break into corporate networks. It is not necessarily the goal this particular person was aiming for. Just a side note. "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Best regards, Lev On Sun, Jan 30, 2022 at 6:48 PM Ralf Gommers <ralf.gommers@gmail.com> wrote:
participants (5)
-
Charles R Harris
-
Lev Maximov
-
Matti Picus
-
Ralf Gommers
-
Stefan van der Walt