[Distutils] Malicious packages on PyPI
Noah Kantrowitz
noah at coderanger.net
Thu Jun 1 19:17:29 EDT 2017
> On Jun 1, 2017, at 4:00 PM, Nick Timkovich <prometheus235 at gmail.com> wrote:
>
> This issue was also brought up in January at https://github.com/pypa/pypi-legacy/issues/585 then just as after the initial "typosquatting PyPI" report (June 2016) it's met with resounding silence. Attacking the messenger doesn't seem like a winning move from a security standpoint.
>
> Can we come up with a plan to address the underlying issue and protect users?
If you have a systemic solution I'm sure we would love to hear it :)
--Noah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/dee6883f/attachment-0001.sig>
More information about the Distutils-SIG
mailing list