From fuzzyman at gmail.com Fri Mar 2 14:08:25 2012
From: fuzzyman at gmail.com (Michael Foord)
Date: Fri, 2 Mar 2012 13:08:25 +0000
Subject: [Catalog-sig] PyPI download stats stopped updating
Message-ID: <CAKCKLWzM0XsTjY44-eziAEKVWLKhag7UfDjF0VzyuQcynWGR_g@mail.gmail.com>
Hey folks,
http://sourceforge.net/tracker/?func=detail&aid=3496035&group_id=66150&atid=513503
It looks like download stats for packages have stopped updating.
All the best,
Michael Foord
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing http://www.sqlite.org/different.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120302/d02f27eb/attachment.html>
From donald.stufft at gmail.com Fri Mar 2 19:02:41 2012
From: donald.stufft at gmail.com (Donald Stufft)
Date: Fri, 2 Mar 2012 13:02:41 -0500
Subject: [Catalog-sig] PyPI download stats stopped updating
In-Reply-To: <CAKCKLWzM0XsTjY44-eziAEKVWLKhag7UfDjF0VzyuQcynWGR_g@mail.gmail.com>
References: <CAKCKLWzM0XsTjY44-eziAEKVWLKhag7UfDjF0VzyuQcynWGR_g@mail.gmail.com>
Message-ID: <5CDC608C2C0D47C8A2C295D7F4072110@gmail.com>
I've also seen this, Logging on Crate.io shows that no updates have occurred at least since the 28th, I've
gotten reports of it being since the 26th. Curiously the data at pypi.python.org/stats/ *seems* like it might
be updating.
On Friday, March 2, 2012 at 8:08 AM, Michael Foord wrote:
> Hey folks,
>
> http://sourceforge.net/tracker/?func=detail&aid=3496035&group_id=66150&atid=513503
>
> It looks like download stats for packages have stopped updating.
>
> All the best,
>
> Michael Foord
>
> --
> http://www.voidspace.org.uk/
>
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing http://www.sqlite.org/different.html
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120302/ae3f14ac/attachment.html>
From martin at v.loewis.de Sun Mar 4 00:00:02 2012
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sun, 04 Mar 2012 00:00:02 +0100
Subject: [Catalog-sig] PyPI download stats stopped updating
In-Reply-To: <CAKCKLWzM0XsTjY44-eziAEKVWLKhag7UfDjF0VzyuQcynWGR_g@mail.gmail.com>
References: <CAKCKLWzM0XsTjY44-eziAEKVWLKhag7UfDjF0VzyuQcynWGR_g@mail.gmail.com>
Message-ID: <4F52A272.7000408@v.loewis.de>
> It looks like download stats for packages have stopped updating.
I have now fixed it. After the last dinsdale crash, the postgres WAL
was corrupted. Even though Noah (IIRC) had fixed that, apparently, there
was inconsistencies in the database.
As a consequence, updating the download counter made triggered an
assertion in postgres, which in turn caused the transaction to abort.
I tried reindexing the database, which failed due to a duplicate
primary key in the user table.
I manually removed the duplicate record, reindexed the database, and
ran the stats integration. So now all should be fine.
Regards,
Martin
From martin at v.loewis.de Tue Mar 13 21:17:32 2012
From: martin at v.loewis.de (=?ISO-8859-15?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Tue, 13 Mar 2012 13:17:32 -0700
Subject: [Catalog-sig] Mirror selection
Message-ID: <4F5FAB5C.7000406@v.loewis.de>
We were just talking about PyPI mirror selection at the sprint,
so people asked me to release the current implementation of my
mirror selection algorithm, which is now at
http://www.dcl.hpi.uni-potsdam.de/home/loewis/_mirrorlib.py
The main function is
def find_mirror(start_with='a',
good_age = 30*60,
slow_mirrors_wait = 5,
prefer_fastest = True):
'''find_mirrors(start_with, good_age, slow_mirrors_wait,
prefer_fastest)
-> [(name, family, IP, response_time, last_modified)]
Find a PyPI mirror matching given criteria.
start_with indicates the first mirror that should be considered
(defaults to 'a').
If prefer_fastest is True, it stops with the first mirror
responding. Mirrors 'compete'
against each other in randomly-shuffled batches of 10.
If this procedure goes on for longer than slow_mirrors_wait
(default 5s) and prefer_fastest
is false, return even if not all mirrors have been responding.
If no matching mirror can be found, the newest one that did
response is returned.
If no mirror can be found at all, ValueError is raised'''
Regards,
Martin
From martin at v.loewis.de Thu Mar 15 17:33:20 2012
From: martin at v.loewis.de (=?ISO-8859-15?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Thu, 15 Mar 2012 09:33:20 -0700
Subject: [Catalog-sig] PyPI code now on bitbucket
Message-ID: <4F6219D0.6050507@v.loewis.de>
I move the PyPI code to
https://bitbucket.org/loewis/pypi
Regards,
Martin
From noah at coderanger.net Thu Mar 15 17:57:22 2012
From: noah at coderanger.net (Noah Kantrowitz)
Date: Thu, 15 Mar 2012 09:57:22 -0700
Subject: [Catalog-sig] PyPI code now on bitbucket
In-Reply-To: <4F6219D0.6050507@v.loewis.de>
References: <4F6219D0.6050507@v.loewis.de>
Message-ID: <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net>
Any chance we can host that under the PSF organization instead of your personal account? Would help improve bus factor :-)
--Noah
On Mar 15, 2012, at 9:33 AM, Martin v. L?wis wrote:
> I move the PyPI code to
>
> https://bitbucket.org/loewis/pypi
>
> Regards,
> Martin
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120315/b3ca3ccf/attachment.pgp>
From martin at v.loewis.de Thu Mar 15 18:55:28 2012
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Thu, 15 Mar 2012 10:55:28 -0700
Subject: [Catalog-sig] PyPI code now on bitbucket
In-Reply-To: <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net>
References: <4F6219D0.6050507@v.loewis.de>
<91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net>
Message-ID: <4F622D10.2060901@v.loewis.de>
Am 15.03.12 09:57, schrieb Noah Kantrowitz:
> Any chance we can host that under the PSF organization instead of your personal account? Would help improve bus factor :-)
>
Richard requested it to be on bitbucket, and he also has admin access to it.
Regards,
Martin
From noah at coderanger.net Thu Mar 15 19:14:53 2012
From: noah at coderanger.net (Noah Kantrowitz)
Date: Thu, 15 Mar 2012 11:14:53 -0700
Subject: [Catalog-sig] PyPI code now on bitbucket
In-Reply-To: <4F622D10.2060901@v.loewis.de>
References: <4F6219D0.6050507@v.loewis.de>
<91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net>
<4F622D10.2060901@v.loewis.de>
Message-ID: <65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net>
Yes, I mean on Bitbucket but under the official PSF organization. I think it is https://bitbucket.org/PSF, but Jesper (CC'd) would know for sure.
--Noah
On Mar 15, 2012, at 10:55 AM, Martin v. L?wis wrote:
> Am 15.03.12 09:57, schrieb Noah Kantrowitz:
>> Any chance we can host that under the PSF organization instead of your personal account? Would help improve bus factor :-)
>>
>
> Richard requested it to be on bitbucket, and he also has admin access to it.
>
> Regards,
> Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120315/c2230d7c/attachment.pgp>
From martin at v.loewis.de Thu Mar 15 19:36:29 2012
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Thu, 15 Mar 2012 11:36:29 -0700
Subject: [Catalog-sig] PyPI code now on bitbucket
In-Reply-To: <CAJgxfqbZ5UEY5qUdowdviNye+7x0PSbeZT-wwAcWLz776pPrxw@mail.gmail.com>
References: <4F6219D0.6050507@v.loewis.de>
<91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net>
<4F622D10.2060901@v.loewis.de>
<65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net>
<CAJgxfqbZ5UEY5qUdowdviNye+7x0PSbeZT-wwAcWLz776pPrxw@mail.gmail.com>
Message-ID: <4F6236AD.1020909@v.loewis.de>
Am 15.03.12 11:19, schrieb Jesper Noehr:
> Doug Hellmann sits on the PSF account on our end. :-)
Ah, ok. Who needs to do what to make this happen?
Regards,
Martin
From noah at coderanger.net Thu Mar 15 19:39:33 2012
From: noah at coderanger.net (Noah Kantrowitz)
Date: Thu, 15 Mar 2012 11:39:33 -0700
Subject: [Catalog-sig] PyPI code now on bitbucket
In-Reply-To: <4F6236AD.1020909@v.loewis.de>
References: <4F6219D0.6050507@v.loewis.de>
<91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net>
<4F622D10.2060901@v.loewis.de>
<65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net>
<CAJgxfqbZ5UEY5qUdowdviNye+7x0PSbeZT-wwAcWLz776pPrxw@mail.gmail.com>
<4F6236AD.1020909@v.loewis.de>
Message-ID: <7C4DF68A-0D46-484F-8E2B-7E03F6010FF8@coderanger.net>
Doug, can you make a PyPI repo under the PSF account and add martin and richard as admins? Then you can just push there too and all will be well :-) You might want to just remove the copy under your username and fork the main one after that so it is in the forks list, but the repo under your username can be used for your personal development while the main one stays stable for deployment.
--Noah
On Mar 15, 2012, at 11:36 AM, Martin v. L?wis wrote:
> Am 15.03.12 11:19, schrieb Jesper Noehr:
>> Doug Hellmann sits on the PSF account on our end. :-)
>
> Ah, ok. Who needs to do what to make this happen?
>
> Regards,
> Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120315/e11d64e3/attachment.pgp>
From a.badger at gmail.com Thu Mar 15 21:38:35 2012
From: a.badger at gmail.com (Toshio Kuratomi)
Date: Thu, 15 Mar 2012 13:38:35 -0700
Subject: [Catalog-sig] Restart discussion on GNU Public License with version
classifiers
Message-ID: <20120315203835.GB11151@unaka.lan>
In November of 2011 [1]_ we started talking about adding classifiers for the
GNU Public license family that included the version information. I think we
decided that this had value but got caught up in bikeshedding the exact
format. It would be nice to get this resolved and into pypi, though, so I'm
going to revive my proposal.
.. [1]_:
http://mail.python.org/pipermail/catalog-sig/2011-November/004028.html
== New license classifiers ==
License :: OSI Approved :: GNU Lesser General Public License v2 (LGPLv2)
License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3)
License :: OSI Approved :: GNU Lesser General Public License v2 or later (LGPLv2+)
License :: OSI Approved :: GNU Lesser General Public License v3 or later (LGPLv3+)
License :: OSI Approved :: GNU General Public License v2 (GPLv2)
License :: OSI Approved :: GNU General Public License v3 (GPLv3)
License :: OSI Approved :: GNU General Public License v2 or later (GPLv2+)
License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)
== Current license classifier that won't be replaced ==
License :: OSI Approved :: GNU Affero General Public License v3
Should there be a version 4 of the AGPL we would add:
License :: OSI Approved :: GNU Affero General Public License v4 (AGPLv4)
License :: OSI Approved :: GNU Affero General Public License v4 or later (AGPLv4+)
== "Deprecated"[2]_ License classifiers ==
License :: OSI Approved :: GNU Free Documentation License (FDL)
License :: OSI Approved :: GNU General Public License (GPL)
License :: OSI Approved :: GNU Library or Lesser General Public License (LGPL)
.. [2]_: Deprecated doesn't have any real meaning as we won't get rid of them.
We'll just be telling people to use the other classifiers should they ask.
== Alternatives ==
Last time there were discussions around whether to place the version
information in a subsequent field. Despite the discussion about this,
a subsequent license has been added to the catalog where the version is
included in the main string [3]_. The original reporter of the need for
versioned GPL tags also felt that having a 4th level would do less to
clarify the licensing intent than my proposal[4]_.
In writing this summary, I found that there hasn't been a solid proposal of
what the classifier for a borken out version would look like. I can't think
of a good way to write one since I don't know how it would interact with the
shortforms of the licenses (ex: LGPLv2). If someone would like to make
a complete alternate proposal I just want to see this done so I'll offer
constructive criticism on it.
.. [3]:
http://mail.python.org/pipermail/catalog-sig/2012-January/004186.html
.. [4]_:
http://mail.python.org/pipermail/catalog-sig/2011-December/004078.html
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120315/fcaa222c/attachment-0001.pgp>
From hanno at hannosch.eu Thu Mar 15 22:41:39 2012
From: hanno at hannosch.eu (Hanno Schlichting)
Date: Thu, 15 Mar 2012 22:41:39 +0100
Subject: [Catalog-sig] Restart discussion on GNU Public License with
version classifiers
In-Reply-To: <20120315203835.GB11151@unaka.lan>
References: <20120315203835.GB11151@unaka.lan>
Message-ID: <CAJ5sox7SyGCEF-69NNQ_McSouEjYs4XGZQzUt6HMs+Na2w0pcw@mail.gmail.com>
On Thu, Mar 15, 2012 at 9:38 PM, Toshio Kuratomi <a.badger at gmail.com> wrote:
> Last time there were discussions around whether to place the version
> information in a subsequent field. ?Despite the discussion about this,
> a subsequent license has been added to the catalog where the version is
> included in the main string [3]_.
> .. [3]:
> http://mail.python.org/pipermail/catalog-sig/2012-January/004186.html
This was done to match the two existing entries:
License :: OSI Approved :: Mozilla Public License 1.0 (MPL)
License :: OSI Approved :: Mozilla Public License 1.1 (MPL 1.1)
So the following was added in the end:
License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)
I think an additional sub-namespace for GPL licenses doesn't really
add anything, so I'd be +1 on the proposal.
Hanno
From jesper at noehr.org Thu Mar 15 19:19:23 2012
From: jesper at noehr.org (Jesper Noehr)
Date: Thu, 15 Mar 2012 11:19:23 -0700
Subject: [Catalog-sig] PyPI code now on bitbucket
In-Reply-To: <65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net>
References: <4F6219D0.6050507@v.loewis.de>
<91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net>
<4F622D10.2060901@v.loewis.de>
<65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net>
Message-ID: <CAJgxfqbZ5UEY5qUdowdviNye+7x0PSbeZT-wwAcWLz776pPrxw@mail.gmail.com>
Doug Hellmann sits on the PSF account on our end. :-)
Jesper
On Thu, Mar 15, 2012 at 11:14 AM, Noah Kantrowitz <noah at coderanger.net> wrote:
> Yes, I mean on Bitbucket but under the official PSF organization. I think it is https://bitbucket.org/PSF, but Jesper (CC'd) would know for sure.
>
> --Noah
>
> On Mar 15, 2012, at 10:55 AM, Martin v. L?wis wrote:
>
>> Am 15.03.12 09:57, schrieb Noah Kantrowitz:
>>> Any chance we can host that under the PSF organization instead of your personal account? Would help improve bus factor :-)
>>>
>>
>> Richard requested it to be on bitbucket, and he also has admin access to it.
>>
>> Regards,
>> Martin
>
From martin at v.loewis.de Sun Mar 25 19:37:57 2012
From: martin at v.loewis.de (=?ISO-8859-15?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sun, 25 Mar 2012 19:37:57 +0200
Subject: [Catalog-sig] OAuth testing
Message-ID: <4F6F57F5.1060006@v.loewis.de>
We now have OAuth access as a test feature on PyPI. If you would
like to test this as a consumer, please send me your GPG key ID
and pypi account name, so I can generate a consumer key for you.
Regards,
Martin
From pydanny at gmail.com Sun Mar 25 19:42:14 2012
From: pydanny at gmail.com (Daniel Greenfeld)
Date: Sun, 25 Mar 2012 10:42:14 -0700
Subject: [Catalog-sig] OAuth testing
In-Reply-To: <4F6F57F5.1060006@v.loewis.de>
References: <4F6F57F5.1060006@v.loewis.de>
Message-ID: <CAOoSJ_r77KkRTduvvPTtyuU-3aCEe-bU0uDyfDiGoxp-zTKcCQ@mail.gmail.com>
Some stupid questions on my part here:
1. Are you going to be mailing those consumer keys out or is there
some sort of secure interface?
2. Also, why a GPG key? Why not a simple web interface like what
Twitter/Facebook/Github gives you?
Daniel Greenfeld
On Sun, Mar 25, 2012 at 10:37 AM, "Martin v. L?wis" <martin at v.loewis.de> wrote:
> We now have OAuth access as a test feature on PyPI. If you would
> like to test this as a consumer, please send me your GPG key ID
> and pypi account name, so I can generate a consumer key for you.
>
> Regards,
> Martin
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
--
'Knowledge is Power'
Daniel Greenfeld
http://pydanny.github.com
From martin at v.loewis.de Sun Mar 25 19:45:50 2012
From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=)
Date: Sun, 25 Mar 2012 19:45:50 +0200
Subject: [Catalog-sig] OAuth testing
In-Reply-To: <CAOoSJ_r77KkRTduvvPTtyuU-3aCEe-bU0uDyfDiGoxp-zTKcCQ@mail.gmail.com>
References: <4F6F57F5.1060006@v.loewis.de>
<CAOoSJ_r77KkRTduvvPTtyuU-3aCEe-bU0uDyfDiGoxp-zTKcCQ@mail.gmail.com>
Message-ID: <4F6F59CE.7030907@v.loewis.de>
Am 25.03.2012 19:42, schrieb Daniel Greenfeld:
> Some stupid questions on my part here:
>
> 1. Are you going to be mailing those consumer keys out or is there
> some sort of secure interface?
It's email, and it's secure: I'll encrypt the email.
> 2. Also, why a GPG key? Why not a simple web interface like what
> Twitter/Facebook/Github gives you?
Because we haven't implemented such a user interface yet. If this
procedure is too much effort for you, just wait until the interface is
there.
Regards,
Martin
From michael at voidspace.org.uk Thu Mar 29 12:36:03 2012
From: michael at voidspace.org.uk (Michael Foord)
Date: Thu, 29 Mar 2012 11:36:03 +0100
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
Message-ID: <EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
Hello mt,
It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
http://sourceforge.net/tracker/?group_id=66150&atid=513503
For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
http://www.python.org/community/sigs/current/catalog-sig/
I've copied them in on this email
All the best,
Michael Foord
On 29 Mar 2012, at 11:15, m t wrote:
> hi,
> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
> http://pypi.python.org/pypi/Octopoda/.0.1
>
> might want to look into it,
> mt
>
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html
From mal at egenix.com Thu Mar 29 12:48:39 2012
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 29 Mar 2012 12:48:39 +0200
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
Message-ID: <4F743E07.20005@egenix.com>
Michael Foord wrote:
> Hello mt,
>
> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
The site hosts an illegal copy of the bitbucket site and redirects the logins
not to bitbucket, but to the code.thejeshgn.com:
http://code.thejeshgn.com/account/signin/
Needless to mention that the login info is sent in clear as well...
I think we should inform Atlassian about this.
> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>
> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>
> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>
> http://www.python.org/community/sigs/current/catalog-sig/
>
> I've copied them in on this email
>
> All the best,
>
> Michael Foord
>
> On 29 Mar 2012, at 11:15, m t wrote:
>
>> hi,
>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>> http://pypi.python.org/pypi/Octopoda/.0.1
>>
>> might want to look into it,
>> mt
>>
>
>
> --
> http://www.voidspace.org.uk/
>
>
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing
> http://www.sqlite.org/different.html
>
>
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Mar 29 2012)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2012-04-03: Python Meeting Duesseldorf 5 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
From mal at egenix.com Thu Mar 29 12:56:25 2012
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 29 Mar 2012 12:56:25 +0200
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <4F743E07.20005@egenix.com>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com>
Message-ID: <4F743FD9.7060504@egenix.com>
M.-A. Lemburg wrote:
> Michael Foord wrote:
>> Hello mt,
>>
>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>
> The site hosts an illegal copy of the bitbucket site and redirects the logins
> not to bitbucket, but to the code.thejeshgn.com:
>
> http://code.thejeshgn.com/account/signin/
>
> Needless to mention that the login info is sent in clear as well...
>
> I think we should inform Atlassian about this.
Looks like he cloned bitbucket for all his bitbucket repos:
http://code.thejeshgn.com/
and happily proxies requests through his site.
>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>
>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>
>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>
>> http://www.python.org/community/sigs/current/catalog-sig/
>>
>> I've copied them in on this email
>>
>> All the best,
>>
>> Michael Foord
>>
>> On 29 Mar 2012, at 11:15, m t wrote:
>>
>>> hi,
>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>
>>> might want to look into it,
>>> mt
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>> _______________________________________________
>> Catalog-SIG mailing list
>> Catalog-SIG at python.org
>> http://mail.python.org/mailman/listinfo/catalog-sig
>
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Mar 29 2012)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2012-04-03: Python Meeting Duesseldorf 5 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
From ubershmekel at gmail.com Thu Mar 29 13:04:59 2012
From: ubershmekel at gmail.com (Yuval Greenfield)
Date: Thu, 29 Mar 2012 13:04:59 +0200
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <4F743FD9.7060504@egenix.com>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
Message-ID: <CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is
also a DNS redirection or something. It's bad security practice by
bitbucket to allow this imo.
Users should be trained for consistent address bars with HTTPS only, not
all these useless copies with strange url's.
Yuval
On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> M.-A. Lemburg wrote:
> > Michael Foord wrote:
> >> Hello mt,
> >>
> >> It doesn't appear to be a clone, but embedding bitbucket - and the
> Python package *seems* genuine.
> >
> > The site hosts an illegal copy of the bitbucket site and redirects the
> logins
> > not to bitbucket, but to the code.thejeshgn.com:
> >
> > http://code.thejeshgn.com/account/signin/
> >
> > Needless to mention that the login info is sent in clear as well...
> >
> > I think we should inform Atlassian about this.
>
> Looks like he cloned bitbucket for all his bitbucket repos:
>
> http://code.thejeshgn.com/
>
> and happily proxies requests through his site.
>
> >> The correct place to report issues with pypi is the tracker (no-one on
> this webmaster alias is involved in the administration of pypi):
> >>
> >> http://sourceforge.net/tracker/?group_id=66150&atid=513503
> >>
> >> For *discussing* PyPI issues, which seems wise for this particular
> question, the catalog-sig email list is the right place:
> >>
> >> http://www.python.org/community/sigs/current/catalog-sig/
> >>
> >> I've copied them in on this email
> >>
> >> All the best,
> >>
> >> Michael Foord
> >>
> >> On 29 Mar 2012, at 11:15, m t wrote:
> >>
> >>> hi,
> >>> this package in pypi doesn't redirect to bitbucket, but a cloned site
> that fishes bitbucket emails:
> >>> http://pypi.python.org/pypi/Octopoda/.0.1
> >>>
> >>> might want to look into it,
> >>> mt
> >>>
> >>
> >>
> >> --
> >> http://www.voidspace.org.uk/
> >>
> >>
> >> May you do good and not evil
> >> May you find forgiveness for yourself and forgive others
> >> May you share freely, never taking more than you give.
> >> -- the sqlite blessing
> >> http://www.sqlite.org/different.html
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Catalog-SIG mailing list
> >> Catalog-SIG at python.org
> >> http://mail.python.org/mailman/listinfo/catalog-sig
> >
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source (#1, Mar 29 2012)
> >>> Python/Zope Consulting and Support ... http://www.egenix.com/
> >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> ________________________________________________________________________
> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> Registered at Amtsgericht Duesseldorf: HRB 46611
> http://www.egenix.com/company/contact/
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120329/e91fd604/attachment-0001.html>
From michael at voidspace.org.uk Thu Mar 29 13:06:32 2012
From: michael at voidspace.org.uk (Michael Foord)
Date: Thu, 29 Mar 2012 12:06:32 +0100
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
<CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
Message-ID: <F3642822-C31D-4EE4-A5DF-5B32A0B370DD@voidspace.org.uk>
On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>
> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>
That's not relevant as to whether or not the package in question should be removed from PyPI though.
Michael
> Yuval
>
> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> M.-A. Lemburg wrote:
> > Michael Foord wrote:
> >> Hello mt,
> >>
> >> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
> >
> > The site hosts an illegal copy of the bitbucket site and redirects the logins
> > not to bitbucket, but to the code.thejeshgn.com:
> >
> > http://code.thejeshgn.com/account/signin/
> >
> > Needless to mention that the login info is sent in clear as well...
> >
> > I think we should inform Atlassian about this.
>
> Looks like he cloned bitbucket for all his bitbucket repos:
>
> http://code.thejeshgn.com/
>
> and happily proxies requests through his site.
>
> >> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
> >>
> >> http://sourceforge.net/tracker/?group_id=66150&atid=513503
> >>
> >> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
> >>
> >> http://www.python.org/community/sigs/current/catalog-sig/
> >>
> >> I've copied them in on this email
> >>
> >> All the best,
> >>
> >> Michael Foord
> >>
> >> On 29 Mar 2012, at 11:15, m t wrote:
> >>
> >>> hi,
> >>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
> >>> http://pypi.python.org/pypi/Octopoda/.0.1
> >>>
> >>> might want to look into it,
> >>> mt
> >>>
> >>
> >>
> >> --
> >> http://www.voidspace.org.uk/
> >>
> >>
> >> May you do good and not evil
> >> May you find forgiveness for yourself and forgive others
> >> May you share freely, never taking more than you give.
> >> -- the sqlite blessing
> >> http://www.sqlite.org/different.html
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Catalog-SIG mailing list
> >> Catalog-SIG at python.org
> >> http://mail.python.org/mailman/listinfo/catalog-sig
> >
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source (#1, Mar 29 2012)
> >>> Python/Zope Consulting and Support ... http://www.egenix.com/
> >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> ________________________________________________________________________
> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> Registered at Amtsgericht Duesseldorf: HRB 46611
> http://www.egenix.com/company/contact/
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html
From robert.kern at gmail.com Thu Mar 29 13:19:32 2012
From: robert.kern at gmail.com (Robert Kern)
Date: Thu, 29 Mar 2012 12:19:32 +0100
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <4F743FD9.7060504@egenix.com>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
Message-ID: <jl1gg5$sq6$1@dough.gmane.org>
On 3/29/12 11:56 AM, M.-A. Lemburg wrote:
> M.-A. Lemburg wrote:
>> Michael Foord wrote:
>>> Hello mt,
>>>
>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>
>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>> not to bitbucket, but to the code.thejeshgn.com:
>>
>> http://code.thejeshgn.com/account/signin/
>>
>> Needless to mention that the login info is sent in clear as well...
>>
>> I think we should inform Atlassian about this.
>
> Looks like he cloned bitbucket for all his bitbucket repos:
>
> http://code.thejeshgn.com/
>
> and happily proxies requests through his site.
Are we sure this is not just an instance of this supported feature of Bitbucket?
http://confluence.atlassian.com/display/BITBUCKET/Using+your+Own+bitbucket+Domain+Name
--
Robert Kern
"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco
From mal at egenix.com Thu Mar 29 13:36:31 2012
From: mal at egenix.com (M.-A. Lemburg)
Date: Thu, 29 Mar 2012 13:36:31 +0200
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <jl1gg5$sq6$1@dough.gmane.org>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
<jl1gg5$sq6$1@dough.gmane.org>
Message-ID: <4F74493F.9090907@egenix.com>
Robert Kern wrote:
> On 3/29/12 11:56 AM, M.-A. Lemburg wrote:
>> M.-A. Lemburg wrote:
>>> Michael Foord wrote:
>>>> Hello mt,
>>>>
>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>
>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>> not to bitbucket, but to the code.thejeshgn.com:
>>>
>>> http://code.thejeshgn.com/account/signin/
>>>
>>> Needless to mention that the login info is sent in clear as well...
>>>
>>> I think we should inform Atlassian about this.
>>
>> Looks like he cloned bitbucket for all his bitbucket repos:
>>
>> http://code.thejeshgn.com/
>>
>> and happily proxies requests through his site.
>
> Are we sure this is not just an instance of this supported feature of Bitbucket?
>
> http://confluence.atlassian.com/display/BITBUCKET/Using+your+Own+bitbucket+Domain+Name
Oh dear, they even promote such use... what a poor security model :-(
You were right:
$ dig code.thejeshgn.com
; <<>> DiG 9.7.4-P1 <<>> code.thejeshgn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34768
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 2
;; QUESTION SECTION:
;code.thejeshgn.com. IN A
;; ANSWER SECTION:
code.thejeshgn.com. 3600 IN CNAME bitbucket.org.
bitbucket.org. 360 IN A 207.223.240.181
bitbucket.org. 360 IN A 207.223.240.182
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Mar 29 2012)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2012-04-03: Python Meeting Duesseldorf 5 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
From michael at voidspace.org.uk Thu Mar 29 13:43:58 2012
From: michael at voidspace.org.uk (Michael Foord)
Date: Thu, 29 Mar 2012 12:43:58 +0100
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <BLU0-SMTP1528920E3C6DC337E08DFDBCA480@phx.gbl>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
<CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
<F3642822-C31D-4EE4-A5DF-5B32A0B370DD@voidspace.org.uk>
<BLU0-SMTP1528920E3C6DC337E08DFDBCA480@phx.gbl>
Message-ID: <51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk>
On 29 Mar 2012, at 12:37, m t wrote:
> the other question is whether there are any others in pypi, and how to effectively detect them
Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
Michael
> mt
>
> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>
>>
>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>
>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>
>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>
>>
>>
>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>
>> Michael
>>
>>> Yuval
>>>
>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>> M.-A. Lemburg wrote:
>>>> Michael Foord wrote:
>>>>> Hello mt,
>>>>>
>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>
>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>
>>>> http://code.thejeshgn.com/account/signin/
>>>>
>>>> Needless to mention that the login info is sent in clear as well...
>>>>
>>>> I think we should inform Atlassian about this.
>>>
>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>
>>> http://code.thejeshgn.com/
>>>
>>> and happily proxies requests through his site.
>>>
>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>
>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>
>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>
>>>>> http://www.python.org/community/sigs/current/catalog-sig/
>>>>>
>>>>> I've copied them in on this email
>>>>>
>>>>> All the best,
>>>>>
>>>>> Michael Foord
>>>>>
>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>
>>>>>> hi,
>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>
>>>>>> might want to look into it,
>>>>>> mt
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://www.voidspace.org.uk/
>>>>>
>>>>>
>>>>> May you do good and not evil
>>>>> May you find forgiveness for yourself and forgive others
>>>>> May you share freely, never taking more than you give.
>>>>> -- the sqlite blessing
>>>>> http://www.sqlite.org/different.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Catalog-SIG mailing list
>>>>> Catalog-SIG at python.org
>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>
>>>
>>> --
>>> Marc-Andre Lemburg
>>> eGenix.com
>>>
>>> Professional Python Services directly from the Source (#1, Mar 29 2012)
>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
>>> ________________________________________________________________________
>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>>>
>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>
>>>
>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>> Registered at Amtsgericht Duesseldorf: HRB 46611
>>> http://www.egenix.com/company/contact/
>>> _______________________________________________
>>> Catalog-SIG mailing list
>>> Catalog-SIG at python.org
>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>>
>
>
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html
From michael at voidspace.org.uk Thu Mar 29 14:35:39 2012
From: michael at voidspace.org.uk (Michael Foord)
Date: Thu, 29 Mar 2012 13:35:39 +0100
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <BLU0-SMTP120980569B170B63220AAF8CA480@phx.gbl>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
<CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
<F3642822-C31D-4EE4-A5DF-5B32A0B370DD@voidspace.org.uk>
<BLU0-SMTP1528920E3C6DC337E08DFDBCA480@phx.gbl>
<51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk>
<BLU0-SMTP120980569B170B63220AAF8CA480@phx.gbl>
Message-ID: <3623DA97-442A-4684-8775-B5BA23B6C217@voidspace.org.uk>
On 29 Mar 2012, at 13:32, m t wrote:
> i partly agree, but i think it's pretty obvious what the intent is
> the package on pypi has a malicious purpose
> if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end
> the aspect of trust was broken, the person and their code become untrustworthy from now on
> i was one second away from sending my credentials, so i might be biased here :)
It seems like the project is using a deliberate bitbucket feature and is unlikely to be either malicious or unethical.
All the best,
Michael
> mt
>
> On Mar 29, 2012, at 4:43 AM, Michael Foord wrote:
>
>>
>> On 29 Mar 2012, at 12:37, m t wrote:
>>
>>> the other question is whether there are any others in pypi, and how to effectively detect them
>>
>> Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
>>
>> Michael
>>
>>> mt
>>>
>>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>>>
>>>>
>>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>>>
>>>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>>>
>>>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>>>
>>>>
>>>>
>>>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>>>
>>>> Michael
>>>>
>>>>> Yuval
>>>>>
>>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>>>> M.-A. Lemburg wrote:
>>>>>> Michael Foord wrote:
>>>>>>> Hello mt,
>>>>>>>
>>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>>>
>>>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>>>
>>>>>> http://code.thejeshgn.com/account/signin/
>>>>>>
>>>>>> Needless to mention that the login info is sent in clear as well...
>>>>>>
>>>>>> I think we should inform Atlassian about this.
>>>>>
>>>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>>>
>>>>> http://code.thejeshgn.com/
>>>>>
>>>>> and happily proxies requests through his site.
>>>>>
>>>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>>>
>>>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>>>
>>>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>>>
>>>>>>> http://www.python.org/community/sigs/current/catalog-sig/
>>>>>>>
>>>>>>> I've copied them in on this email
>>>>>>>
>>>>>>> All the best,
>>>>>>>
>>>>>>> Michael Foord
>>>>>>>
>>>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>>>
>>>>>>>> hi,
>>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>>>
>>>>>>>> might want to look into it,
>>>>>>>> mt
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> http://www.voidspace.org.uk/
>>>>>>>
>>>>>>>
>>>>>>> May you do good and not evil
>>>>>>> May you find forgiveness for yourself and forgive others
>>>>>>> May you share freely, never taking more than you give.
>>>>>>> -- the sqlite blessing
>>>>>>> http://www.sqlite.org/different.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Catalog-SIG mailing list
>>>>>>> Catalog-SIG at python.org
>>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>>
>>>>>
>>>>> --
>>>>> Marc-Andre Lemburg
>>>>> eGenix.com
>>>>>
>>>>> Professional Python Services directly from the Source (#1, Mar 29 2012)
>>>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
>>>>> ________________________________________________________________________
>>>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>>>>>
>>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>>>
>>>>>
>>>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
>>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>>>> Registered at Amtsgericht Duesseldorf: HRB 46611
>>>>> http://www.egenix.com/company/contact/
>>>>> _______________________________________________
>>>>> Catalog-SIG mailing list
>>>>> Catalog-SIG at python.org
>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>
>>>>
>>>>
>>>> --
>>>> http://www.voidspace.org.uk/
>>>>
>>>>
>>>> May you do good and not evil
>>>> May you find forgiveness for yourself and forgive others
>>>> May you share freely, never taking more than you give.
>>>> -- the sqlite blessing
>>>> http://www.sqlite.org/different.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>>
>
>
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html
From dreamabyss at hotmail.com Thu Mar 29 13:34:18 2012
From: dreamabyss at hotmail.com (m t)
Date: Thu, 29 Mar 2012 04:34:18 -0700
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <4F743E07.20005@egenix.com>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com>
Message-ID: <BLU0-SMTP82B71EE83E11309252B1AACA480@phx.gbl>
hi,
i already contacted atlassian, but you have more weight on this than me
i don't know when/if they'd get to my email!
mt
On Mar 29, 2012, at 3:48 AM, M.-A. Lemburg wrote:
> Michael Foord wrote:
>> Hello mt,
>>
>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>
> The site hosts an illegal copy of the bitbucket site and redirects the logins
> not to bitbucket, but to the code.thejeshgn.com:
>
> http://code.thejeshgn.com/account/signin/
>
> Needless to mention that the login info is sent in clear as well...
>
> I think we should inform Atlassian about this.
>
>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>
>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>
>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>
>> http://www.python.org/community/sigs/current/catalog-sig/
>>
>> I've copied them in on this email
>>
>> All the best,
>>
>> Michael Foord
>>
>> On 29 Mar 2012, at 11:15, m t wrote:
>>
>>> hi,
>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>
>>> might want to look into it,
>>> mt
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>> _______________________________________________
>> Catalog-SIG mailing list
>> Catalog-SIG at python.org
>> http://mail.python.org/mailman/listinfo/catalog-sig
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source (#1, Mar 29 2012)
>>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> ________________________________________________________________________
> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> Registered at Amtsgericht Duesseldorf: HRB 46611
> http://www.egenix.com/company/contact/
>
From dreamabyss at hotmail.com Thu Mar 29 13:37:28 2012
From: dreamabyss at hotmail.com (m t)
Date: Thu, 29 Mar 2012 04:37:28 -0700
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <F3642822-C31D-4EE4-A5DF-5B32A0B370DD@voidspace.org.uk>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
<CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
<F3642822-C31D-4EE4-A5DF-5B32A0B370DD@voidspace.org.uk>
Message-ID: <BLU0-SMTP1528920E3C6DC337E08DFDBCA480@phx.gbl>
the other question is whether there are any others in pypi, and how to effectively detect them
mt
On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>
> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>
>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>
>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>
>
>
> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>
> Michael
>
>> Yuval
>>
>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>> M.-A. Lemburg wrote:
>>> Michael Foord wrote:
>>>> Hello mt,
>>>>
>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>
>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>> not to bitbucket, but to the code.thejeshgn.com:
>>>
>>> http://code.thejeshgn.com/account/signin/
>>>
>>> Needless to mention that the login info is sent in clear as well...
>>>
>>> I think we should inform Atlassian about this.
>>
>> Looks like he cloned bitbucket for all his bitbucket repos:
>>
>> http://code.thejeshgn.com/
>>
>> and happily proxies requests through his site.
>>
>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>
>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>
>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>
>>>> http://www.python.org/community/sigs/current/catalog-sig/
>>>>
>>>> I've copied them in on this email
>>>>
>>>> All the best,
>>>>
>>>> Michael Foord
>>>>
>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>
>>>>> hi,
>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>
>>>>> might want to look into it,
>>>>> mt
>>>>>
>>>>
>>>>
>>>> --
>>>> http://www.voidspace.org.uk/
>>>>
>>>>
>>>> May you do good and not evil
>>>> May you find forgiveness for yourself and forgive others
>>>> May you share freely, never taking more than you give.
>>>> -- the sqlite blessing
>>>> http://www.sqlite.org/different.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Catalog-SIG mailing list
>>>> Catalog-SIG at python.org
>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>
>>
>> --
>> Marc-Andre Lemburg
>> eGenix.com
>>
>> Professional Python Services directly from the Source (#1, Mar 29 2012)
>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
>> ________________________________________________________________________
>> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>>
>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>
>>
>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>> Registered at Amtsgericht Duesseldorf: HRB 46611
>> http://www.egenix.com/company/contact/
>> _______________________________________________
>> Catalog-SIG mailing list
>> Catalog-SIG at python.org
>> http://mail.python.org/mailman/listinfo/catalog-sig
>>
>
>
> --
> http://www.voidspace.org.uk/
>
>
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing
> http://www.sqlite.org/different.html
>
>
>
>
>
>
From dreamabyss at hotmail.com Thu Mar 29 14:32:54 2012
From: dreamabyss at hotmail.com (m t)
Date: Thu, 29 Mar 2012 05:32:54 -0700
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
<CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
<F3642822-C31D-4EE4-A5DF-5B32A0B370DD@voidspace.org.uk>
<BLU0-SMTP1528920E3C6DC337E08DFDBCA480@phx.gbl>
<51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk>
Message-ID: <BLU0-SMTP120980569B170B63220AAF8CA480@phx.gbl>
i partly agree, but i think it's pretty obvious what the intent is
the package on pypi has a malicious purpose
if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end
the aspect of trust was broken, the person and their code become untrustworthy from now on
i was one second away from sending my credentials, so i might be biased here :)
mt
On Mar 29, 2012, at 4:43 AM, Michael Foord wrote:
>
> On 29 Mar 2012, at 12:37, m t wrote:
>
>> the other question is whether there are any others in pypi, and how to effectively detect them
>
> Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
>
> Michael
>
>> mt
>>
>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>>
>>>
>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>>
>>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>>
>>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>>
>>>
>>>
>>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>>
>>> Michael
>>>
>>>> Yuval
>>>>
>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>>> M.-A. Lemburg wrote:
>>>>> Michael Foord wrote:
>>>>>> Hello mt,
>>>>>>
>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>>
>>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>>
>>>>> http://code.thejeshgn.com/account/signin/
>>>>>
>>>>> Needless to mention that the login info is sent in clear as well...
>>>>>
>>>>> I think we should inform Atlassian about this.
>>>>
>>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>>
>>>> http://code.thejeshgn.com/
>>>>
>>>> and happily proxies requests through his site.
>>>>
>>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>>
>>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>>
>>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>>
>>>>>> http://www.python.org/community/sigs/current/catalog-sig/
>>>>>>
>>>>>> I've copied them in on this email
>>>>>>
>>>>>> All the best,
>>>>>>
>>>>>> Michael Foord
>>>>>>
>>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>>
>>>>>>> hi,
>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>>
>>>>>>> might want to look into it,
>>>>>>> mt
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> http://www.voidspace.org.uk/
>>>>>>
>>>>>>
>>>>>> May you do good and not evil
>>>>>> May you find forgiveness for yourself and forgive others
>>>>>> May you share freely, never taking more than you give.
>>>>>> -- the sqlite blessing
>>>>>> http://www.sqlite.org/different.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Catalog-SIG mailing list
>>>>>> Catalog-SIG at python.org
>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>
>>>>
>>>> --
>>>> Marc-Andre Lemburg
>>>> eGenix.com
>>>>
>>>> Professional Python Services directly from the Source (#1, Mar 29 2012)
>>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
>>>> ________________________________________________________________________
>>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>>>>
>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>>
>>>>
>>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>>> Registered at Amtsgericht Duesseldorf: HRB 46611
>>>> http://www.egenix.com/company/contact/
>>>> _______________________________________________
>>>> Catalog-SIG mailing list
>>>> Catalog-SIG at python.org
>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>
>>>
>>>
>>> --
>>> http://www.voidspace.org.uk/
>>>
>>>
>>> May you do good and not evil
>>> May you find forgiveness for yourself and forgive others
>>> May you share freely, never taking more than you give.
>>> -- the sqlite blessing
>>> http://www.sqlite.org/different.html
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
> --
> http://www.voidspace.org.uk/
>
>
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing
> http://www.sqlite.org/different.html
>
>
>
>
>
>
From martin at v.loewis.de Thu Mar 29 16:02:16 2012
From: martin at v.loewis.de (martin at v.loewis.de)
Date: Thu, 29 Mar 2012 16:02:16 +0200
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <BLU0-SMTP120980569B170B63220AAF8CA480@phx.gbl>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
<CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
<F3642822-C31D-4EE4-A5DF-5B32A0B370DD@voidspace.org.uk>
<BLU0-SMTP1528920E3C6DC337E08DFDBCA480@phx.gbl>
<51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk>
<BLU0-SMTP120980569B170B63220AAF8CA480@phx.gbl>
Message-ID: <20120329160216.Horde.UNdCLVNNcXdPdGtoAeNEpuA@webmail.df.eu>
> i partly agree, but i think it's pretty obvious what the intent is
> the package on pypi has a malicious purpose
I completely disagree. The package *clearly* has a good intent,
and the package author has no malicious plans with it.
> if you can't trust the one end of the chain of events, there's no
> point in debating the integrity of the other end
> the aspect of trust was broken, the person and their code become
> untrustworthy from now on
> i was one second away from sending my credentials, so i might be
> biased here :)
And no harm would have been done in sending your credentials - the
package author would not have been able to obtain them.
Regards,
Martin
From a.badger at gmail.com Thu Mar 29 17:01:59 2012
From: a.badger at gmail.com (Toshio Kuratomi)
Date: Thu, 29 Mar 2012 08:01:59 -0700
Subject: [Catalog-sig] Restart discussion on GNU Public License with
version classifiers
In-Reply-To: <CAJ5sox7SyGCEF-69NNQ_McSouEjYs4XGZQzUt6HMs+Na2w0pcw@mail.gmail.com>
References: <20120315203835.GB11151@unaka.lan>
<CAJ5sox7SyGCEF-69NNQ_McSouEjYs4XGZQzUt6HMs+Na2w0pcw@mail.gmail.com>
Message-ID: <20120329150159.GF11151@unaka.lan>
On Thu, Mar 15, 2012 at 10:41:39PM +0100, Hanno Schlichting wrote:
> On Thu, Mar 15, 2012 at 9:38 PM, Toshio Kuratomi <a.badger at gmail.com> wrote:
> > Last time there were discussions around whether to place the version
> > information in a subsequent field. ?Despite the discussion about this,
> > a subsequent license has been added to the catalog where the version is
> > included in the main string [3]_.
> > .. [3]:
> > http://mail.python.org/pipermail/catalog-sig/2012-January/004186.html
>
> This was done to match the two existing entries:
>
> License :: OSI Approved :: Mozilla Public License 1.0 (MPL)
> License :: OSI Approved :: Mozilla Public License 1.1 (MPL 1.1)
>
> So the following was added in the end:
>
> License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)
>
> I think an additional sub-namespace for GPL licenses doesn't really
> add anything, so I'd be +1 on the proposal.
>
Two weeks with no objections raised. Could we have the following added?
License :: OSI Approved :: GNU Lesser General Public License v2 (LGPLv2)
License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3)
License :: OSI Approved :: GNU Lesser General Public License v2 or later (LGPLv2+)
License :: OSI Approved :: GNU Lesser General Public License v3 or later (LGPLv3+)
License :: OSI Approved :: GNU General Public License v2 (GPLv2)
License :: OSI Approved :: GNU General Public License v3 (GPLv3)
License :: OSI Approved :: GNU General Public License v2 or later (GPLv2+)
License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)
Thank you,
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120329/1c5b28cb/attachment-0001.pgp>
From dreamabyss at hotmail.com Fri Mar 30 02:11:49 2012
From: dreamabyss at hotmail.com (m t)
Date: Thu, 29 Mar 2012 17:11:49 -0700
Subject: [Catalog-sig] bad package that's fishing bitbucket emails
In-Reply-To: <3623DA97-442A-4684-8775-B5BA23B6C217@voidspace.org.uk>
References: <BLU0-SMTP1155F4C5D5BA125BF1E3305CA480@phx.gbl>
<EAEBDA0D-2772-40E1-A805-439EDFC3318E@voidspace.org.uk>
<4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com>
<CANSw7Kwizp1+00N=Ee+o66Mi_r63Qk04djtCAbdqk4QAFL6yqg@mail.gmail.com>
<F3642822-C31D-4EE4-A5DF-5B32A0B370DD@voidspace.org.uk>
<BLU0-SMTP1528920E3C6DC337E08DFDBCA480@phx.gbl>
<51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk>
<BLU0-SMTP120980569B170B63220AAF8CA480@phx.gbl>
<3623DA97-442A-4684-8775-B5BA23B6C217@voidspace.org.uk>
Message-ID: <BLU0-SMTP405B9C9439EFA2CE0497936CA490@phx.gbl>
hi,
yuval and michael were right (attached below is bitbucket's reply), i definitely over-reacted
hopefully there is some way for you guys to automatically detect nefarious packages from entering pypi
thanks for the communication, top-notch
good job with the feedback and discussion,
mt
and here is bitbucket's reply to my notifying them of that repo:
Brodie Rao, Mar 29 13:07 (PDT):
Hi mt,
I don't think that user's phishing; he's just using our CNAME feature that lets him point a domain name to his Bitbucket profile and repositories.
You'll get different opinions from other people on the Bitbucket team, but I'm personally not a fan of the feature because of the confusing security implications it has (as you've found out). It does indeed lead you to log into the site using his domain name.
We may look into improving how logins work on CNAMEs in the future. For now, you can still view his repositories on bitbucket.org directly. I recommend doing that if you don't trust the owner of the domain name.
If you have any other questions, let me know.
Thanks,
Brodie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120329/15c669f8/attachment.html>