[Catalog-sig] bad package that's fishing bitbucket emails

m t dreamabyss at hotmail.com
Fri Mar 30 02:11:49 CEST 2012

yuval and michael were right (attached below is bitbucket's reply), i definitely over-reacted
hopefully there is some way for you guys to automatically detect nefarious packages from entering pypi
thanks for the communication, top-notch
good job with the feedback and discussion,

and here is bitbucket's reply to my notifying them of that repo:

Brodie Rao, Mar 29 13:07 (PDT):
Hi mt,

I don't think that user's phishing; he's just using our CNAME feature that lets him point a domain name to his Bitbucket profile and repositories.

You'll get different opinions from other people on the Bitbucket team, but I'm personally not a fan of the feature because of the confusing security implications it has (as you've found out). It does indeed lead you to log into the site using his domain name.

We may look into improving how logins work on CNAMEs in the future. For now, you can still view his repositories on bitbucket.org directly. I recommend doing that if you don't trust the owner of the domain name.

If you have any other questions, let me know.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120329/15c669f8/attachment.html>

More information about the Catalog-SIG mailing list