[Catalog-sig] bad package that's fishing bitbucket emails

m t dreamabyss at hotmail.com
Thu Mar 29 14:32:54 CEST 2012 

i partly agree, but i think it's pretty obvious what the intent is
the package on pypi has a malicious purpose
if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end
the aspect of trust was broken, the person and their code become untrustworthy from now on
i was one second away from sending my credentials, so i might be biased here :)
mt

On Mar 29, 2012, at 4:43 AM, Michael Foord wrote:

> 
> On 29 Mar 2012, at 12:37, m t wrote:
> 
>> the other question is whether there are any others in pypi, and how to effectively detect them
> 
> Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
> 
> Michael
> 
>> mt
>> 
>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>> 
>>> 
>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>> 
>>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>> 
>>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>> 
>>> 
>>> 
>>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>> 
>>> Michael
>>> 
>>>> Yuval
>>>> 
>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>>> M.-A. Lemburg wrote:
>>>>> Michael Foord wrote:
>>>>>> Hello mt,
>>>>>> 
>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>> 
>>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>> 
>>>>> http://code.thejeshgn.com/account/signin/
>>>>> 
>>>>> Needless to mention that the login info is sent in clear as well...
>>>>> 
>>>>> I think we should inform Atlassian about this.
>>>> 
>>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>> 
>>>> http://code.thejeshgn.com/
>>>> 
>>>> and happily proxies requests through his site.
>>>> 
>>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>> 
>>>>>>   http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>> 
>>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>> 
>>>>>>   http://www.python.org/community/sigs/current/catalog-sig/
>>>>>> 
>>>>>> I've copied them in on this email
>>>>>> 
>>>>>> All the best,
>>>>>> 
>>>>>> Michael Foord
>>>>>> 
>>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>> 
>>>>>>> hi,
>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>> 
>>>>>>> might want to look into it,
>>>>>>> mt
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> http://www.voidspace.org.uk/
>>>>>> 
>>>>>> 
>>>>>> May you do good and not evil
>>>>>> May you find forgiveness for yourself and forgive others
>>>>>> May you share freely, never taking more than you give.
>>>>>> -- the sqlite blessing
>>>>>> http://www.sqlite.org/different.html
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Catalog-SIG mailing list
>>>>>> Catalog-SIG at python.org
>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>> 
>>>> 
>>>> --
>>>> Marc-Andre Lemburg
>>>> eGenix.com
>>>> 
>>>> Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>>>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
>>>> ________________________________________________________________________
>>>> 2012-04-03: Python Meeting Duesseldorf                      5 days to go
>>>> 
>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>> 
>>>> 
>>>> eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>>>        Registered at Amtsgericht Duesseldorf: HRB 46611
>>>>            http://www.egenix.com/company/contact/
>>>> _______________________________________________
>>>> Catalog-SIG mailing list
>>>> Catalog-SIG at python.org
>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>> 
>>> 
>>> 
>>> --
>>> http://www.voidspace.org.uk/
>>> 
>>> 
>>> May you do good and not evil
>>> May you find forgiveness for yourself and forgive others
>>> May you share freely, never taking more than you give.
>>> -- the sqlite blessing 
>>> http://www.sqlite.org/different.html
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
> 
> 
> --
> http://www.voidspace.org.uk/
> 
> 
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing 
> http://www.sqlite.org/different.html
> 
> 
> 
> 
> 
>

More information about the Catalog-SIG mailing list