[Distutils] Malicious packages on PyPI

Richard Jones richard at python.org
Fri Jun 2 05:42:59 EDT 2017

On 2 June 2017 at 18:05, Nick Coghlan <ncoghlan at gmail.com> wrote:

> On 2 June 2017 at 09:00, Nick Timkovich <prometheus235 at gmail.com> wrote:
> > This issue was also brought up in January at
> > https://github.com/pypa/pypi-legacy/issues/585 then just as after the
> > initial "typosquatting PyPI" report (June 2016) it's met with resounding
> > silence. Attacking the messenger doesn't seem like a winning move from a
> > security standpoint.
> >
> > Can we come up with a plan to address the underlying issue and protect
> > users?
> I like the suggestion of an auto-generated "common 404" blacklist,
> where regularly queried-but-nonexistent names can't be registered
> without prior approval by the PyPI admins or the PSF.

I like it also, but it adds an additional administration burden on top of
that which is not being coped with at the moment.

117 open issues in https://github.com/pypa/pypi-legacy/issues
219 open support tickets in https://sourceforge.net/p/pypi/support-requests/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170602/5f5361b3/attachment.html>

More information about the Distutils-SIG mailing list