[Distutils] Malicious packages on PyPI
Richard Jones
richard at python.org
Thu Jun 1 19:11:42 EDT 2017
On 2 June 2017 at 09:00, Nick Timkovich <prometheus235 at gmail.com> wrote:
> This issue was also brought up in January at https://github.com/pypa/pypi-
> legacy/issues/585 then just as after the initial "typosquatting PyPI"
> report (June 2016) it's met with resounding silence. Attacking the
> messenger doesn't seem like a winning move from a security standpoint.
>
> Can we come up with a plan to address the underlying issue and protect
> users?
>
We haven't yet, but I'm not holding that as proof that we couldn't.
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170602/63b042dc/attachment.html>
More information about the Distutils-SIG
mailing list