[Catalog-sig] bad package that's fishing bitbucket emails

martin at v.loewis.de martin at v.loewis.de
Thu Mar 29 16:02:16 CEST 2012


> i partly agree, but i think it's pretty obvious what the intent is
> the package on pypi has a malicious purpose

I completely disagree. The package *clearly* has a good intent,
and the package author has no malicious plans with it.

> if you can't trust the one end of the chain of events, there's no  
> point in debating the integrity of the other end
> the aspect of trust was broken, the person and their code become  
> untrustworthy from now on
> i was one second away from sending my credentials, so i might be  
> biased here :)

And no harm would have been done in sending your credentials - the
package author would not have been able to obtain them.

Regards,
Martin




More information about the Catalog-SIG mailing list