request to remove the numpy-aarch64 package from PyPI
Hi all,
FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1.
There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.
Cheers, Ralf
On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers ralf.gommers@gmail.com wrote:
Hi all,
FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1.
There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.
That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . . .
Chuck
On Sun, Jun 13, 2021, at 18:21, Charles R Harris wrote:
On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers ralf.gommers@gmail.com wrote:
FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1.
There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.
That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . . .
Maybe now is a good time to move to accept:
https://numpy.org/neps/nep-0036-fair-play.html
Stéfan
On 14/6/21 11:03 pm, Stefan van der Walt wrote:
On Sun, Jun 13, 2021, at 18:21, Charles R Harris wrote:
On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers <ralf.gommers@gmail.com mailto:ralf.gommers@gmail.com> wrote:
FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/ <https://pypi.org/project/numpy-aarch64/>. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1 <https://github.com/tomasriv/DNA_Sequence/issues/1>. There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . . .
Maybe now is a good time to move to accept:
https://numpy.org/neps/nep-0036-fair-play.html https://numpy.org/neps/nep-0036-fair-play.html
Stéfan
Having just re-read the NEP, I think the Motivation section should mention name re-use: "Additionally, we wish to reduce confusion when package names imply they are sanctioned or maintained by NumPy". Other than that it looks good to me. Do you want to make a PR to add the discussion and change the status, and notify the list of your intention to accept it?
Matti
On Tue, Jun 15, 2021, at 00:38, Matti Picus wrote:
Having just re-read the NEP, I think the Motivation section should mention name re-use: "Additionally, we wish to reduce confusion when package names imply they are sanctioned or maintained by NumPy". Other than that it looks good to me. Do you want to make a PR to add the discussion and change the status, and notify the list of your intention to accept it?
Thanks, Matti. I've made the change suggested and updated the status here:
https://github.com/numpy/numpy/pull/19284
Stéfan
On Mon, Jun 14, 2021 at 3:22 AM Charles R Harris charlesr.harris@gmail.com wrote:
On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers ralf.gommers@gmail.com wrote:
Hi all,
FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1.
There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.
That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . .
Hard to know whether it was malicious or not.
I finally filed a PyPI issue to hand over the package to me so I can delete the wheel and replace the README: https://github.com/pypa/pypi-support/issues/1635
Cheers, Ralf
Here's a story about how malicious pypi packages help break into corporate networks. It is not necessarily the goal this particular person was aiming for. Just a side note. "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Best regards, Lev
On Sun, Jan 30, 2022 at 6:48 PM Ralf Gommers ralf.gommers@gmail.com wrote:
On Mon, Jun 14, 2021 at 3:22 AM Charles R Harris < charlesr.harris@gmail.com> wrote:
On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers ralf.gommers@gmail.com wrote:
Hi all,
FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1.
There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.
That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . .
Hard to know whether it was malicious or not.
I finally filed a PyPI issue to hand over the package to me so I can delete the wheel and replace the README: https://github.com/pypa/pypi-support/issues/1635
Cheers, Ralf
NumPy-Discussion mailing list -- numpy-discussion@python.org To unsubscribe send an email to numpy-discussion-leave@python.org https://mail.python.org/mailman3/lists/numpy-discussion.python.org/ Member address: lev.maximov@gmail.com
On Sun, Jan 30, 2022 at 12:44 PM Ralf Gommers ralf.gommers@gmail.com wrote:
On Mon, Jun 14, 2021 at 3:22 AM Charles R Harris < charlesr.harris@gmail.com> wrote:
On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers ralf.gommers@gmail.com wrote:
Hi all,
FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1.
There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.
That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . .
Hard to know whether it was malicious or not.
I finally filed a PyPI issue to hand over the package to me so I can delete the wheel and replace the README: https://github.com/pypa/pypi-support/issues/1635
To close the loop on this: I just received admin access to the package and deleted the one release for it, so the name is now safe (I won't release it, just sit on it).
Cheers, Ralf
participants (5)
-
Charles R Harris -
Lev Maximov -
Matti Picus -
Ralf Gommers -
Stefan van der Walt