[Distutils] Name arbitration on PyPI (was: The mypy package)

Donald Stufft donald at stufft.io
Mon Apr 18 18:21:32 EDT 2016 

> On Apr 18, 2016, at 6:14 PM, Glyph <glyph at twistedmatrix.com> wrote:
> 
> 
>> On Apr 18, 2016, at 2:31 PM, Ian Cordasco <graffatcolmingov at gmail.com <mailto:graffatcolmingov at gmail.com>> wrote:
>> 
>> I have in fact offered but the author refuses to accept help from
>> anyone. They're also the author of the C library (libyaml) and they do
>> not maintain that either. It's actually quite frustrating as someone
>> who wants to fix some of the numerous bugs in the library + improve it
>> and add support for YAML 1.2 which is years old at this point.
> 
> Since the spectre of malware has been raised in this thread, I feel I should point out that the reverse is also true.  Although libyaml / pyyaml are "trusted" today, what happens after the inevitable 0-day RCE drops which the author refuses to patch it?  Does PyPI have a responsibility to re-assign the name in that case?  Specifically, YAML does have a heritage <http://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/> of vulnerabilities, even if this specific instance doesn't.
> 

We don’t currently have much in the way of mechanisms to deal with that. Although I could think of a few that we could do which *wouldn’t* require handing over the name and which could generalize out to other maintenance/abandonment problems as well, like (in order of severity):

* Add a warning on the PyPI page indicating that the project is abandoned/unmaintained/etc suggesting they find something else (possibly with specific suggestions, like PIL -> Pillow).

* Add some mechanism to pip/PyPI that would allow PyPI to provide a message to people installing a particular project (or perhaps a specific version). This could also be exposed to authors who want to mark specific versions of their project as insecure.

* Delete the files from PyPI or otherwise prevent them from being discovered by pip (likely paired with the a warning of some kind on the PyPI page).

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160418/3a4c576b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160418/3a4c576b/attachment-0001.sig>

More information about the Distutils-SIG mailing list