[Distutils] Malicious packages on PyPI

Nick Coghlan ncoghlan at gmail.com
Fri Jun 2 04:05:33 EDT 2017

On 2 June 2017 at 09:00, Nick Timkovich <prometheus235 at gmail.com> wrote:
> This issue was also brought up in January at
> https://github.com/pypa/pypi-legacy/issues/585 then just as after the
> initial "typosquatting PyPI" report (June 2016) it's met with resounding
> silence. Attacking the messenger doesn't seem like a winning move from a
> security standpoint.
> Can we come up with a plan to address the underlying issue and protect
> users?

I like the suggestion of an auto-generated "common 404" blacklist,
where regularly queried-but-nonexistent names can't be registered
without prior approval by the PyPI admins or the PSF.

Beyond that, one of the biggest challenges we face with the status quo
is that it's mainly perceived by commercial redistributors as an
opportunity to sell people security scanning and component
whitelisting tools, rather than as a shared ecosystem health
management problem to be addressed collectively :(


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list