[Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
Victor Stinner
victor.stinner at gmail.com
Fri Sep 15 17:16:34 EDT 2017
An idea for typo squatting would be to compute the Levenshtein
distance with package names of standard library and top 100 most
popular PyPI packages, and require to contact a moderation team if the
name is too close to an existing package. The moderation team will
review the email, but also watch the package during 1 month to check
if everything seems fine.
It requires to have a list of all package names of the standard
library, and maintain an up to date list of popular PyPI package
names.
It also requires to set up a mailing list, and tooling to report the
error message to users, and then give moderators the right to create
the package. I'm not sure that it's easy to implement it.
Victor
More information about the Python-Dev
mailing list