[Distutils] Malicious packages on PyPI
Nick Timkovich
prometheus235 at gmail.com
Thu Jun 1 19:00:47 EDT 2017
This issue was also brought up in January at
https://github.com/pypa/pypi-legacy/issues/585 then just as after the
initial "typosquatting PyPI" report (June 2016) it's met with resounding
silence. Attacking the messenger doesn't seem like a winning move from a
security standpoint.
Can we come up with a plan to address the underlying issue and protect
users?
Nick
On Thu, Jun 1, 2017 at 5:25 PM, Richard Jones <richard at python.org> wrote:
> On 2 June 2017 at 03:40, Thomas Kluyver <thomas at kluyver.me.uk> wrote:
>
>> On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote:
>> There *appear* to be, but I checked several of the names listed there,
>> and they're not on PyPI:
>>
>> https://pypi.python.org/pypi/tkinter
>> https://pypi.python.org/pypi/memcached
>> https://pypi.python.org/pypi/vtk
>> https://pypi.python.org/pypi/python-dev
>> https://pypi.python.org/pypi/opencv
>>
>> So I wonder if the data is fake. Or maybe they were already taken down?
>> Or the installations are real, but not using those names.
>>
>
> Yes, we had the author take them down, please see
> https://github.com/pypa/pypi-legacy/issues/644
>
>
> Richard
>
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/2e3e105c/attachment.html>
More information about the Distutils-SIG
mailing list