From fuzzyman at gmail.com Fri Mar 2 14:08:25 2012 From: fuzzyman at gmail.com (Michael Foord) Date: Fri, 2 Mar 2012 13:08:25 +0000 Subject: [Catalog-sig] PyPI download stats stopped updating Message-ID: Hey folks, http://sourceforge.net/tracker/?func=detail&aid=3496035&group_id=66150&atid=513503 It looks like download stats for packages have stopped updating. All the best, Michael Foord -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From donald.stufft at gmail.com Fri Mar 2 19:02:41 2012 From: donald.stufft at gmail.com (Donald Stufft) Date: Fri, 2 Mar 2012 13:02:41 -0500 Subject: [Catalog-sig] PyPI download stats stopped updating In-Reply-To: References: Message-ID: <5CDC608C2C0D47C8A2C295D7F4072110@gmail.com> I've also seen this, Logging on Crate.io shows that no updates have occurred at least since the 28th, I've gotten reports of it being since the 26th. Curiously the data at pypi.python.org/stats/ *seems* like it might be updating. On Friday, March 2, 2012 at 8:08 AM, Michael Foord wrote: > Hey folks, > > http://sourceforge.net/tracker/?func=detail&aid=3496035&group_id=66150&atid=513503 > > It looks like download stats for packages have stopped updating. > > All the best, > > Michael Foord > > -- > http://www.voidspace.org.uk/ > > May you do good and not evil > May you find forgiveness for yourself and forgive others > May you share freely, never taking more than you give. > -- the sqlite blessing http://www.sqlite.org/different.html > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org) > http://mail.python.org/mailman/listinfo/catalog-sig > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at v.loewis.de Sun Mar 4 00:00:02 2012 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Sun, 04 Mar 2012 00:00:02 +0100 Subject: [Catalog-sig] PyPI download stats stopped updating In-Reply-To: References: Message-ID: <4F52A272.7000408@v.loewis.de> > It looks like download stats for packages have stopped updating. I have now fixed it. After the last dinsdale crash, the postgres WAL was corrupted. Even though Noah (IIRC) had fixed that, apparently, there was inconsistencies in the database. As a consequence, updating the download counter made triggered an assertion in postgres, which in turn caused the transaction to abort. I tried reindexing the database, which failed due to a duplicate primary key in the user table. I manually removed the duplicate record, reindexed the database, and ran the stats integration. So now all should be fine. Regards, Martin From martin at v.loewis.de Tue Mar 13 21:17:32 2012 From: martin at v.loewis.de (=?ISO-8859-15?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Tue, 13 Mar 2012 13:17:32 -0700 Subject: [Catalog-sig] Mirror selection Message-ID: <4F5FAB5C.7000406@v.loewis.de> We were just talking about PyPI mirror selection at the sprint, so people asked me to release the current implementation of my mirror selection algorithm, which is now at http://www.dcl.hpi.uni-potsdam.de/home/loewis/_mirrorlib.py The main function is def find_mirror(start_with='a', good_age = 30*60, slow_mirrors_wait = 5, prefer_fastest = True): '''find_mirrors(start_with, good_age, slow_mirrors_wait, prefer_fastest) -> [(name, family, IP, response_time, last_modified)] Find a PyPI mirror matching given criteria. start_with indicates the first mirror that should be considered (defaults to 'a'). If prefer_fastest is True, it stops with the first mirror responding. Mirrors 'compete' against each other in randomly-shuffled batches of 10. If this procedure goes on for longer than slow_mirrors_wait (default 5s) and prefer_fastest is false, return even if not all mirrors have been responding. If no matching mirror can be found, the newest one that did response is returned. If no mirror can be found at all, ValueError is raised''' Regards, Martin From martin at v.loewis.de Thu Mar 15 17:33:20 2012 From: martin at v.loewis.de (=?ISO-8859-15?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Thu, 15 Mar 2012 09:33:20 -0700 Subject: [Catalog-sig] PyPI code now on bitbucket Message-ID: <4F6219D0.6050507@v.loewis.de> I move the PyPI code to https://bitbucket.org/loewis/pypi Regards, Martin From noah at coderanger.net Thu Mar 15 17:57:22 2012 From: noah at coderanger.net (Noah Kantrowitz) Date: Thu, 15 Mar 2012 09:57:22 -0700 Subject: [Catalog-sig] PyPI code now on bitbucket In-Reply-To: <4F6219D0.6050507@v.loewis.de> References: <4F6219D0.6050507@v.loewis.de> Message-ID: <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net> Any chance we can host that under the PSF organization instead of your personal account? Would help improve bus factor :-) --Noah On Mar 15, 2012, at 9:33 AM, Martin v. L?wis wrote: > I move the PyPI code to > > https://bitbucket.org/loewis/pypi > > Regards, > Martin > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org > http://mail.python.org/mailman/listinfo/catalog-sig -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: From martin at v.loewis.de Thu Mar 15 18:55:28 2012 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Thu, 15 Mar 2012 10:55:28 -0700 Subject: [Catalog-sig] PyPI code now on bitbucket In-Reply-To: <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net> References: <4F6219D0.6050507@v.loewis.de> <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net> Message-ID: <4F622D10.2060901@v.loewis.de> Am 15.03.12 09:57, schrieb Noah Kantrowitz: > Any chance we can host that under the PSF organization instead of your personal account? Would help improve bus factor :-) > Richard requested it to be on bitbucket, and he also has admin access to it. Regards, Martin From noah at coderanger.net Thu Mar 15 19:14:53 2012 From: noah at coderanger.net (Noah Kantrowitz) Date: Thu, 15 Mar 2012 11:14:53 -0700 Subject: [Catalog-sig] PyPI code now on bitbucket In-Reply-To: <4F622D10.2060901@v.loewis.de> References: <4F6219D0.6050507@v.loewis.de> <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net> <4F622D10.2060901@v.loewis.de> Message-ID: <65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net> Yes, I mean on Bitbucket but under the official PSF organization. I think it is https://bitbucket.org/PSF, but Jesper (CC'd) would know for sure. --Noah On Mar 15, 2012, at 10:55 AM, Martin v. L?wis wrote: > Am 15.03.12 09:57, schrieb Noah Kantrowitz: >> Any chance we can host that under the PSF organization instead of your personal account? Would help improve bus factor :-) >> > > Richard requested it to be on bitbucket, and he also has admin access to it. > > Regards, > Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: From martin at v.loewis.de Thu Mar 15 19:36:29 2012 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Thu, 15 Mar 2012 11:36:29 -0700 Subject: [Catalog-sig] PyPI code now on bitbucket In-Reply-To: References: <4F6219D0.6050507@v.loewis.de> <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net> <4F622D10.2060901@v.loewis.de> <65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net> Message-ID: <4F6236AD.1020909@v.loewis.de> Am 15.03.12 11:19, schrieb Jesper Noehr: > Doug Hellmann sits on the PSF account on our end. :-) Ah, ok. Who needs to do what to make this happen? Regards, Martin From noah at coderanger.net Thu Mar 15 19:39:33 2012 From: noah at coderanger.net (Noah Kantrowitz) Date: Thu, 15 Mar 2012 11:39:33 -0700 Subject: [Catalog-sig] PyPI code now on bitbucket In-Reply-To: <4F6236AD.1020909@v.loewis.de> References: <4F6219D0.6050507@v.loewis.de> <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net> <4F622D10.2060901@v.loewis.de> <65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net> <4F6236AD.1020909@v.loewis.de> Message-ID: <7C4DF68A-0D46-484F-8E2B-7E03F6010FF8@coderanger.net> Doug, can you make a PyPI repo under the PSF account and add martin and richard as admins? Then you can just push there too and all will be well :-) You might want to just remove the copy under your username and fork the main one after that so it is in the forks list, but the repo under your username can be used for your personal development while the main one stays stable for deployment. --Noah On Mar 15, 2012, at 11:36 AM, Martin v. L?wis wrote: > Am 15.03.12 11:19, schrieb Jesper Noehr: >> Doug Hellmann sits on the PSF account on our end. :-) > > Ah, ok. Who needs to do what to make this happen? > > Regards, > Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: Message signed with OpenPGP using GPGMail URL: From a.badger at gmail.com Thu Mar 15 21:38:35 2012 From: a.badger at gmail.com (Toshio Kuratomi) Date: Thu, 15 Mar 2012 13:38:35 -0700 Subject: [Catalog-sig] Restart discussion on GNU Public License with version classifiers Message-ID: <20120315203835.GB11151@unaka.lan> In November of 2011 [1]_ we started talking about adding classifiers for the GNU Public license family that included the version information. I think we decided that this had value but got caught up in bikeshedding the exact format. It would be nice to get this resolved and into pypi, though, so I'm going to revive my proposal. .. [1]_: http://mail.python.org/pipermail/catalog-sig/2011-November/004028.html == New license classifiers == License :: OSI Approved :: GNU Lesser General Public License v2 (LGPLv2) License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3) License :: OSI Approved :: GNU Lesser General Public License v2 or later (LGPLv2+) License :: OSI Approved :: GNU Lesser General Public License v3 or later (LGPLv3+) License :: OSI Approved :: GNU General Public License v2 (GPLv2) License :: OSI Approved :: GNU General Public License v3 (GPLv3) License :: OSI Approved :: GNU General Public License v2 or later (GPLv2+) License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+) License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+) == Current license classifier that won't be replaced == License :: OSI Approved :: GNU Affero General Public License v3 Should there be a version 4 of the AGPL we would add: License :: OSI Approved :: GNU Affero General Public License v4 (AGPLv4) License :: OSI Approved :: GNU Affero General Public License v4 or later (AGPLv4+) == "Deprecated"[2]_ License classifiers == License :: OSI Approved :: GNU Free Documentation License (FDL) License :: OSI Approved :: GNU General Public License (GPL) License :: OSI Approved :: GNU Library or Lesser General Public License (LGPL) .. [2]_: Deprecated doesn't have any real meaning as we won't get rid of them. We'll just be telling people to use the other classifiers should they ask. == Alternatives == Last time there were discussions around whether to place the version information in a subsequent field. Despite the discussion about this, a subsequent license has been added to the catalog where the version is included in the main string [3]_. The original reporter of the need for versioned GPL tags also felt that having a 4th level would do less to clarify the licensing intent than my proposal[4]_. In writing this summary, I found that there hasn't been a solid proposal of what the classifier for a borken out version would look like. I can't think of a good way to write one since I don't know how it would interact with the shortforms of the licenses (ex: LGPLv2). If someone would like to make a complete alternate proposal I just want to see this done so I'll offer constructive criticism on it. .. [3]: http://mail.python.org/pipermail/catalog-sig/2012-January/004186.html .. [4]_: http://mail.python.org/pipermail/catalog-sig/2011-December/004078.html -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From hanno at hannosch.eu Thu Mar 15 22:41:39 2012 From: hanno at hannosch.eu (Hanno Schlichting) Date: Thu, 15 Mar 2012 22:41:39 +0100 Subject: [Catalog-sig] Restart discussion on GNU Public License with version classifiers In-Reply-To: <20120315203835.GB11151@unaka.lan> References: <20120315203835.GB11151@unaka.lan> Message-ID: On Thu, Mar 15, 2012 at 9:38 PM, Toshio Kuratomi wrote: > Last time there were discussions around whether to place the version > information in a subsequent field. ?Despite the discussion about this, > a subsequent license has been added to the catalog where the version is > included in the main string [3]_. > .. [3]: > http://mail.python.org/pipermail/catalog-sig/2012-January/004186.html This was done to match the two existing entries: License :: OSI Approved :: Mozilla Public License 1.0 (MPL) License :: OSI Approved :: Mozilla Public License 1.1 (MPL 1.1) So the following was added in the end: License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0) I think an additional sub-namespace for GPL licenses doesn't really add anything, so I'd be +1 on the proposal. Hanno From jesper at noehr.org Thu Mar 15 19:19:23 2012 From: jesper at noehr.org (Jesper Noehr) Date: Thu, 15 Mar 2012 11:19:23 -0700 Subject: [Catalog-sig] PyPI code now on bitbucket In-Reply-To: <65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net> References: <4F6219D0.6050507@v.loewis.de> <91210437-8AED-4E98-9A2D-60E7A08621EF@coderanger.net> <4F622D10.2060901@v.loewis.de> <65F51FC4-6703-4322-8AA9-F6C0372BB73C@coderanger.net> Message-ID: Doug Hellmann sits on the PSF account on our end. :-) Jesper On Thu, Mar 15, 2012 at 11:14 AM, Noah Kantrowitz wrote: > Yes, I mean on Bitbucket but under the official PSF organization. I think it is https://bitbucket.org/PSF, but Jesper (CC'd) would know for sure. > > --Noah > > On Mar 15, 2012, at 10:55 AM, Martin v. L?wis wrote: > >> Am 15.03.12 09:57, schrieb Noah Kantrowitz: >>> Any chance we can host that under the PSF organization instead of your personal account? Would help improve bus factor :-) >>> >> >> Richard requested it to be on bitbucket, and he also has admin access to it. >> >> Regards, >> Martin > From martin at v.loewis.de Sun Mar 25 19:37:57 2012 From: martin at v.loewis.de (=?ISO-8859-15?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Sun, 25 Mar 2012 19:37:57 +0200 Subject: [Catalog-sig] OAuth testing Message-ID: <4F6F57F5.1060006@v.loewis.de> We now have OAuth access as a test feature on PyPI. If you would like to test this as a consumer, please send me your GPG key ID and pypi account name, so I can generate a consumer key for you. Regards, Martin From pydanny at gmail.com Sun Mar 25 19:42:14 2012 From: pydanny at gmail.com (Daniel Greenfeld) Date: Sun, 25 Mar 2012 10:42:14 -0700 Subject: [Catalog-sig] OAuth testing In-Reply-To: <4F6F57F5.1060006@v.loewis.de> References: <4F6F57F5.1060006@v.loewis.de> Message-ID: Some stupid questions on my part here: 1. Are you going to be mailing those consumer keys out or is there some sort of secure interface? 2. Also, why a GPG key? Why not a simple web interface like what Twitter/Facebook/Github gives you? Daniel Greenfeld On Sun, Mar 25, 2012 at 10:37 AM, "Martin v. L?wis" wrote: > We now have OAuth access as a test feature on PyPI. If you would > like to test this as a consumer, please send me your GPG key ID > and pypi account name, so I can generate a consumer key for you. > > Regards, > Martin > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org > http://mail.python.org/mailman/listinfo/catalog-sig -- 'Knowledge is Power' Daniel Greenfeld http://pydanny.github.com From martin at v.loewis.de Sun Mar 25 19:45:50 2012 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Sun, 25 Mar 2012 19:45:50 +0200 Subject: [Catalog-sig] OAuth testing In-Reply-To: References: <4F6F57F5.1060006@v.loewis.de> Message-ID: <4F6F59CE.7030907@v.loewis.de> Am 25.03.2012 19:42, schrieb Daniel Greenfeld: > Some stupid questions on my part here: > > 1. Are you going to be mailing those consumer keys out or is there > some sort of secure interface? It's email, and it's secure: I'll encrypt the email. > 2. Also, why a GPG key? Why not a simple web interface like what > Twitter/Facebook/Github gives you? Because we haven't implemented such a user interface yet. If this procedure is too much effort for you, just wait until the interface is there. Regards, Martin From michael at voidspace.org.uk Thu Mar 29 12:36:03 2012 From: michael at voidspace.org.uk (Michael Foord) Date: Thu, 29 Mar 2012 11:36:03 +0100 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: References: Message-ID: Hello mt, It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): http://sourceforge.net/tracker/?group_id=66150&atid=513503 For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: http://www.python.org/community/sigs/current/catalog-sig/ I've copied them in on this email All the best, Michael Foord On 29 Mar 2012, at 11:15, m t wrote: > hi, > this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: > http://pypi.python.org/pypi/Octopoda/.0.1 > > might want to look into it, > mt > -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html From mal at egenix.com Thu Mar 29 12:48:39 2012 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 29 Mar 2012 12:48:39 +0200 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: References: Message-ID: <4F743E07.20005@egenix.com> Michael Foord wrote: > Hello mt, > > It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. The site hosts an illegal copy of the bitbucket site and redirects the logins not to bitbucket, but to the code.thejeshgn.com: http://code.thejeshgn.com/account/signin/ Needless to mention that the login info is sent in clear as well... I think we should inform Atlassian about this. > The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): > > http://sourceforge.net/tracker/?group_id=66150&atid=513503 > > For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: > > http://www.python.org/community/sigs/current/catalog-sig/ > > I've copied them in on this email > > All the best, > > Michael Foord > > On 29 Mar 2012, at 11:15, m t wrote: > >> hi, >> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: >> http://pypi.python.org/pypi/Octopoda/.0.1 >> >> might want to look into it, >> mt >> > > > -- > http://www.voidspace.org.uk/ > > > May you do good and not evil > May you find forgiveness for yourself and forgive others > May you share freely, never taking more than you give. > -- the sqlite blessing > http://www.sqlite.org/different.html > > > > > > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org > http://mail.python.org/mailman/listinfo/catalog-sig -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Mar 29 2012) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2012-04-03: Python Meeting Duesseldorf 5 days to go ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From mal at egenix.com Thu Mar 29 12:56:25 2012 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 29 Mar 2012 12:56:25 +0200 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: <4F743E07.20005@egenix.com> References: <4F743E07.20005@egenix.com> Message-ID: <4F743FD9.7060504@egenix.com> M.-A. Lemburg wrote: > Michael Foord wrote: >> Hello mt, >> >> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. > > The site hosts an illegal copy of the bitbucket site and redirects the logins > not to bitbucket, but to the code.thejeshgn.com: > > http://code.thejeshgn.com/account/signin/ > > Needless to mention that the login info is sent in clear as well... > > I think we should inform Atlassian about this. Looks like he cloned bitbucket for all his bitbucket repos: http://code.thejeshgn.com/ and happily proxies requests through his site. >> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): >> >> http://sourceforge.net/tracker/?group_id=66150&atid=513503 >> >> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: >> >> http://www.python.org/community/sigs/current/catalog-sig/ >> >> I've copied them in on this email >> >> All the best, >> >> Michael Foord >> >> On 29 Mar 2012, at 11:15, m t wrote: >> >>> hi, >>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: >>> http://pypi.python.org/pypi/Octopoda/.0.1 >>> >>> might want to look into it, >>> mt >>> >> >> >> -- >> http://www.voidspace.org.uk/ >> >> >> May you do good and not evil >> May you find forgiveness for yourself and forgive others >> May you share freely, never taking more than you give. >> -- the sqlite blessing >> http://www.sqlite.org/different.html >> >> >> >> >> >> _______________________________________________ >> Catalog-SIG mailing list >> Catalog-SIG at python.org >> http://mail.python.org/mailman/listinfo/catalog-sig > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Mar 29 2012) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2012-04-03: Python Meeting Duesseldorf 5 days to go ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From ubershmekel at gmail.com Thu Mar 29 13:04:59 2012 From: ubershmekel at gmail.com (Yuval Greenfield) Date: Thu, 29 Mar 2012 13:04:59 +0200 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: <4F743FD9.7060504@egenix.com> References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> Message-ID: I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo. Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's. Yuval On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg wrote: > M.-A. Lemburg wrote: > > Michael Foord wrote: > >> Hello mt, > >> > >> It doesn't appear to be a clone, but embedding bitbucket - and the > Python package *seems* genuine. > > > > The site hosts an illegal copy of the bitbucket site and redirects the > logins > > not to bitbucket, but to the code.thejeshgn.com: > > > > http://code.thejeshgn.com/account/signin/ > > > > Needless to mention that the login info is sent in clear as well... > > > > I think we should inform Atlassian about this. > > Looks like he cloned bitbucket for all his bitbucket repos: > > http://code.thejeshgn.com/ > > and happily proxies requests through his site. > > >> The correct place to report issues with pypi is the tracker (no-one on > this webmaster alias is involved in the administration of pypi): > >> > >> http://sourceforge.net/tracker/?group_id=66150&atid=513503 > >> > >> For *discussing* PyPI issues, which seems wise for this particular > question, the catalog-sig email list is the right place: > >> > >> http://www.python.org/community/sigs/current/catalog-sig/ > >> > >> I've copied them in on this email > >> > >> All the best, > >> > >> Michael Foord > >> > >> On 29 Mar 2012, at 11:15, m t wrote: > >> > >>> hi, > >>> this package in pypi doesn't redirect to bitbucket, but a cloned site > that fishes bitbucket emails: > >>> http://pypi.python.org/pypi/Octopoda/.0.1 > >>> > >>> might want to look into it, > >>> mt > >>> > >> > >> > >> -- > >> http://www.voidspace.org.uk/ > >> > >> > >> May you do good and not evil > >> May you find forgiveness for yourself and forgive others > >> May you share freely, never taking more than you give. > >> -- the sqlite blessing > >> http://www.sqlite.org/different.html > >> > >> > >> > >> > >> > >> _______________________________________________ > >> Catalog-SIG mailing list > >> Catalog-SIG at python.org > >> http://mail.python.org/mailman/listinfo/catalog-sig > > > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Mar 29 2012) > >>> Python/Zope Consulting and Support ... http://www.egenix.com/ > >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > 2012-04-03: Python Meeting Duesseldorf 5 days to go > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org > http://mail.python.org/mailman/listinfo/catalog-sig > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at voidspace.org.uk Thu Mar 29 13:06:32 2012 From: michael at voidspace.org.uk (Michael Foord) Date: Thu, 29 Mar 2012 12:06:32 +0100 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> Message-ID: On 29 Mar 2012, at 12:04, Yuval Greenfield wrote: > I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo. > > Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's. > That's not relevant as to whether or not the package in question should be removed from PyPI though. Michael > Yuval > > On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg wrote: > M.-A. Lemburg wrote: > > Michael Foord wrote: > >> Hello mt, > >> > >> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. > > > > The site hosts an illegal copy of the bitbucket site and redirects the logins > > not to bitbucket, but to the code.thejeshgn.com: > > > > http://code.thejeshgn.com/account/signin/ > > > > Needless to mention that the login info is sent in clear as well... > > > > I think we should inform Atlassian about this. > > Looks like he cloned bitbucket for all his bitbucket repos: > > http://code.thejeshgn.com/ > > and happily proxies requests through his site. > > >> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): > >> > >> http://sourceforge.net/tracker/?group_id=66150&atid=513503 > >> > >> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: > >> > >> http://www.python.org/community/sigs/current/catalog-sig/ > >> > >> I've copied them in on this email > >> > >> All the best, > >> > >> Michael Foord > >> > >> On 29 Mar 2012, at 11:15, m t wrote: > >> > >>> hi, > >>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: > >>> http://pypi.python.org/pypi/Octopoda/.0.1 > >>> > >>> might want to look into it, > >>> mt > >>> > >> > >> > >> -- > >> http://www.voidspace.org.uk/ > >> > >> > >> May you do good and not evil > >> May you find forgiveness for yourself and forgive others > >> May you share freely, never taking more than you give. > >> -- the sqlite blessing > >> http://www.sqlite.org/different.html > >> > >> > >> > >> > >> > >> _______________________________________________ > >> Catalog-SIG mailing list > >> Catalog-SIG at python.org > >> http://mail.python.org/mailman/listinfo/catalog-sig > > > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Mar 29 2012) > >>> Python/Zope Consulting and Support ... http://www.egenix.com/ > >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > 2012-04-03: Python Meeting Duesseldorf 5 days to go > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG at python.org > http://mail.python.org/mailman/listinfo/catalog-sig > -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html From robert.kern at gmail.com Thu Mar 29 13:19:32 2012 From: robert.kern at gmail.com (Robert Kern) Date: Thu, 29 Mar 2012 12:19:32 +0100 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: <4F743FD9.7060504@egenix.com> References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> Message-ID: On 3/29/12 11:56 AM, M.-A. Lemburg wrote: > M.-A. Lemburg wrote: >> Michael Foord wrote: >>> Hello mt, >>> >>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. >> >> The site hosts an illegal copy of the bitbucket site and redirects the logins >> not to bitbucket, but to the code.thejeshgn.com: >> >> http://code.thejeshgn.com/account/signin/ >> >> Needless to mention that the login info is sent in clear as well... >> >> I think we should inform Atlassian about this. > > Looks like he cloned bitbucket for all his bitbucket repos: > > http://code.thejeshgn.com/ > > and happily proxies requests through his site. Are we sure this is not just an instance of this supported feature of Bitbucket? http://confluence.atlassian.com/display/BITBUCKET/Using+your+Own+bitbucket+Domain+Name -- Robert Kern "I have come to believe that the whole world is an enigma, a harmless enigma that is made terrible by our own mad attempt to interpret it as though it had an underlying truth." -- Umberto Eco From mal at egenix.com Thu Mar 29 13:36:31 2012 From: mal at egenix.com (M.-A. Lemburg) Date: Thu, 29 Mar 2012 13:36:31 +0200 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> Message-ID: <4F74493F.9090907@egenix.com> Robert Kern wrote: > On 3/29/12 11:56 AM, M.-A. Lemburg wrote: >> M.-A. Lemburg wrote: >>> Michael Foord wrote: >>>> Hello mt, >>>> >>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. >>> >>> The site hosts an illegal copy of the bitbucket site and redirects the logins >>> not to bitbucket, but to the code.thejeshgn.com: >>> >>> http://code.thejeshgn.com/account/signin/ >>> >>> Needless to mention that the login info is sent in clear as well... >>> >>> I think we should inform Atlassian about this. >> >> Looks like he cloned bitbucket for all his bitbucket repos: >> >> http://code.thejeshgn.com/ >> >> and happily proxies requests through his site. > > Are we sure this is not just an instance of this supported feature of Bitbucket? > > http://confluence.atlassian.com/display/BITBUCKET/Using+your+Own+bitbucket+Domain+Name Oh dear, they even promote such use... what a poor security model :-( You were right: $ dig code.thejeshgn.com ; <<>> DiG 9.7.4-P1 <<>> code.thejeshgn.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34768 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 2 ;; QUESTION SECTION: ;code.thejeshgn.com. IN A ;; ANSWER SECTION: code.thejeshgn.com. 3600 IN CNAME bitbucket.org. bitbucket.org. 360 IN A 207.223.240.181 bitbucket.org. 360 IN A 207.223.240.182 -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Mar 29 2012) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2012-04-03: Python Meeting Duesseldorf 5 days to go ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From michael at voidspace.org.uk Thu Mar 29 13:43:58 2012 From: michael at voidspace.org.uk (Michael Foord) Date: Thu, 29 Mar 2012 12:43:58 +0100 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> Message-ID: <51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk> On 29 Mar 2012, at 12:37, m t wrote: > the other question is whether there are any others in pypi, and how to effectively detect them Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question). Michael > mt > > On Mar 29, 2012, at 4:06 AM, Michael Foord wrote: > >> >> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote: >> >>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo. >>> >>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's. >>> >> >> >> That's not relevant as to whether or not the package in question should be removed from PyPI though. >> >> Michael >> >>> Yuval >>> >>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg wrote: >>> M.-A. Lemburg wrote: >>>> Michael Foord wrote: >>>>> Hello mt, >>>>> >>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. >>>> >>>> The site hosts an illegal copy of the bitbucket site and redirects the logins >>>> not to bitbucket, but to the code.thejeshgn.com: >>>> >>>> http://code.thejeshgn.com/account/signin/ >>>> >>>> Needless to mention that the login info is sent in clear as well... >>>> >>>> I think we should inform Atlassian about this. >>> >>> Looks like he cloned bitbucket for all his bitbucket repos: >>> >>> http://code.thejeshgn.com/ >>> >>> and happily proxies requests through his site. >>> >>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): >>>>> >>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503 >>>>> >>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: >>>>> >>>>> http://www.python.org/community/sigs/current/catalog-sig/ >>>>> >>>>> I've copied them in on this email >>>>> >>>>> All the best, >>>>> >>>>> Michael Foord >>>>> >>>>> On 29 Mar 2012, at 11:15, m t wrote: >>>>> >>>>>> hi, >>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: >>>>>> http://pypi.python.org/pypi/Octopoda/.0.1 >>>>>> >>>>>> might want to look into it, >>>>>> mt >>>>>> >>>>> >>>>> >>>>> -- >>>>> http://www.voidspace.org.uk/ >>>>> >>>>> >>>>> May you do good and not evil >>>>> May you find forgiveness for yourself and forgive others >>>>> May you share freely, never taking more than you give. >>>>> -- the sqlite blessing >>>>> http://www.sqlite.org/different.html >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Catalog-SIG mailing list >>>>> Catalog-SIG at python.org >>>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>> >>> >>> -- >>> Marc-Andre Lemburg >>> eGenix.com >>> >>> Professional Python Services directly from the Source (#1, Mar 29 2012) >>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >>> ________________________________________________________________________ >>> 2012-04-03: Python Meeting Duesseldorf 5 days to go >>> >>> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >>> >>> >>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >>> Registered at Amtsgericht Duesseldorf: HRB 46611 >>> http://www.egenix.com/company/contact/ >>> _______________________________________________ >>> Catalog-SIG mailing list >>> Catalog-SIG at python.org >>> http://mail.python.org/mailman/listinfo/catalog-sig >>> >> >> >> -- >> http://www.voidspace.org.uk/ >> >> >> May you do good and not evil >> May you find forgiveness for yourself and forgive others >> May you share freely, never taking more than you give. >> -- the sqlite blessing >> http://www.sqlite.org/different.html >> >> >> >> >> >> > > -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html From michael at voidspace.org.uk Thu Mar 29 14:35:39 2012 From: michael at voidspace.org.uk (Michael Foord) Date: Thu, 29 Mar 2012 13:35:39 +0100 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> <51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk> Message-ID: <3623DA97-442A-4684-8775-B5BA23B6C217@voidspace.org.uk> On 29 Mar 2012, at 13:32, m t wrote: > i partly agree, but i think it's pretty obvious what the intent is > the package on pypi has a malicious purpose > if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end > the aspect of trust was broken, the person and their code become untrustworthy from now on > i was one second away from sending my credentials, so i might be biased here :) It seems like the project is using a deliberate bitbucket feature and is unlikely to be either malicious or unethical. All the best, Michael > mt > > On Mar 29, 2012, at 4:43 AM, Michael Foord wrote: > >> >> On 29 Mar 2012, at 12:37, m t wrote: >> >>> the other question is whether there are any others in pypi, and how to effectively detect them >> >> Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question). >> >> Michael >> >>> mt >>> >>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote: >>> >>>> >>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote: >>>> >>>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo. >>>>> >>>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's. >>>>> >>>> >>>> >>>> That's not relevant as to whether or not the package in question should be removed from PyPI though. >>>> >>>> Michael >>>> >>>>> Yuval >>>>> >>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg wrote: >>>>> M.-A. Lemburg wrote: >>>>>> Michael Foord wrote: >>>>>>> Hello mt, >>>>>>> >>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. >>>>>> >>>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins >>>>>> not to bitbucket, but to the code.thejeshgn.com: >>>>>> >>>>>> http://code.thejeshgn.com/account/signin/ >>>>>> >>>>>> Needless to mention that the login info is sent in clear as well... >>>>>> >>>>>> I think we should inform Atlassian about this. >>>>> >>>>> Looks like he cloned bitbucket for all his bitbucket repos: >>>>> >>>>> http://code.thejeshgn.com/ >>>>> >>>>> and happily proxies requests through his site. >>>>> >>>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): >>>>>>> >>>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503 >>>>>>> >>>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: >>>>>>> >>>>>>> http://www.python.org/community/sigs/current/catalog-sig/ >>>>>>> >>>>>>> I've copied them in on this email >>>>>>> >>>>>>> All the best, >>>>>>> >>>>>>> Michael Foord >>>>>>> >>>>>>> On 29 Mar 2012, at 11:15, m t wrote: >>>>>>> >>>>>>>> hi, >>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: >>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1 >>>>>>>> >>>>>>>> might want to look into it, >>>>>>>> mt >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> http://www.voidspace.org.uk/ >>>>>>> >>>>>>> >>>>>>> May you do good and not evil >>>>>>> May you find forgiveness for yourself and forgive others >>>>>>> May you share freely, never taking more than you give. >>>>>>> -- the sqlite blessing >>>>>>> http://www.sqlite.org/different.html >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Catalog-SIG mailing list >>>>>>> Catalog-SIG at python.org >>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>>>> >>>>> >>>>> -- >>>>> Marc-Andre Lemburg >>>>> eGenix.com >>>>> >>>>> Professional Python Services directly from the Source (#1, Mar 29 2012) >>>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >>>>> ________________________________________________________________________ >>>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go >>>>> >>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >>>>> >>>>> >>>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >>>>> Registered at Amtsgericht Duesseldorf: HRB 46611 >>>>> http://www.egenix.com/company/contact/ >>>>> _______________________________________________ >>>>> Catalog-SIG mailing list >>>>> Catalog-SIG at python.org >>>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>>> >>>> >>>> >>>> -- >>>> http://www.voidspace.org.uk/ >>>> >>>> >>>> May you do good and not evil >>>> May you find forgiveness for yourself and forgive others >>>> May you share freely, never taking more than you give. >>>> -- the sqlite blessing >>>> http://www.sqlite.org/different.html >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >> >> >> -- >> http://www.voidspace.org.uk/ >> >> >> May you do good and not evil >> May you find forgiveness for yourself and forgive others >> May you share freely, never taking more than you give. >> -- the sqlite blessing >> http://www.sqlite.org/different.html >> >> >> >> >> >> > > -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html From dreamabyss at hotmail.com Thu Mar 29 13:34:18 2012 From: dreamabyss at hotmail.com (m t) Date: Thu, 29 Mar 2012 04:34:18 -0700 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: <4F743E07.20005@egenix.com> References: <4F743E07.20005@egenix.com> Message-ID: hi, i already contacted atlassian, but you have more weight on this than me i don't know when/if they'd get to my email! mt On Mar 29, 2012, at 3:48 AM, M.-A. Lemburg wrote: > Michael Foord wrote: >> Hello mt, >> >> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. > > The site hosts an illegal copy of the bitbucket site and redirects the logins > not to bitbucket, but to the code.thejeshgn.com: > > http://code.thejeshgn.com/account/signin/ > > Needless to mention that the login info is sent in clear as well... > > I think we should inform Atlassian about this. > >> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): >> >> http://sourceforge.net/tracker/?group_id=66150&atid=513503 >> >> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: >> >> http://www.python.org/community/sigs/current/catalog-sig/ >> >> I've copied them in on this email >> >> All the best, >> >> Michael Foord >> >> On 29 Mar 2012, at 11:15, m t wrote: >> >>> hi, >>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: >>> http://pypi.python.org/pypi/Octopoda/.0.1 >>> >>> might want to look into it, >>> mt >>> >> >> >> -- >> http://www.voidspace.org.uk/ >> >> >> May you do good and not evil >> May you find forgiveness for yourself and forgive others >> May you share freely, never taking more than you give. >> -- the sqlite blessing >> http://www.sqlite.org/different.html >> >> >> >> >> >> _______________________________________________ >> Catalog-SIG mailing list >> Catalog-SIG at python.org >> http://mail.python.org/mailman/listinfo/catalog-sig > > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source (#1, Mar 29 2012) >>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > 2012-04-03: Python Meeting Duesseldorf 5 days to go > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > From dreamabyss at hotmail.com Thu Mar 29 13:37:28 2012 From: dreamabyss at hotmail.com (m t) Date: Thu, 29 Mar 2012 04:37:28 -0700 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> Message-ID: the other question is whether there are any others in pypi, and how to effectively detect them mt On Mar 29, 2012, at 4:06 AM, Michael Foord wrote: > > On 29 Mar 2012, at 12:04, Yuval Greenfield wrote: > >> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo. >> >> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's. >> > > > That's not relevant as to whether or not the package in question should be removed from PyPI though. > > Michael > >> Yuval >> >> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg wrote: >> M.-A. Lemburg wrote: >>> Michael Foord wrote: >>>> Hello mt, >>>> >>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. >>> >>> The site hosts an illegal copy of the bitbucket site and redirects the logins >>> not to bitbucket, but to the code.thejeshgn.com: >>> >>> http://code.thejeshgn.com/account/signin/ >>> >>> Needless to mention that the login info is sent in clear as well... >>> >>> I think we should inform Atlassian about this. >> >> Looks like he cloned bitbucket for all his bitbucket repos: >> >> http://code.thejeshgn.com/ >> >> and happily proxies requests through his site. >> >>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): >>>> >>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503 >>>> >>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: >>>> >>>> http://www.python.org/community/sigs/current/catalog-sig/ >>>> >>>> I've copied them in on this email >>>> >>>> All the best, >>>> >>>> Michael Foord >>>> >>>> On 29 Mar 2012, at 11:15, m t wrote: >>>> >>>>> hi, >>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: >>>>> http://pypi.python.org/pypi/Octopoda/.0.1 >>>>> >>>>> might want to look into it, >>>>> mt >>>>> >>>> >>>> >>>> -- >>>> http://www.voidspace.org.uk/ >>>> >>>> >>>> May you do good and not evil >>>> May you find forgiveness for yourself and forgive others >>>> May you share freely, never taking more than you give. >>>> -- the sqlite blessing >>>> http://www.sqlite.org/different.html >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Catalog-SIG mailing list >>>> Catalog-SIG at python.org >>>> http://mail.python.org/mailman/listinfo/catalog-sig >>> >> >> -- >> Marc-Andre Lemburg >> eGenix.com >> >> Professional Python Services directly from the Source (#1, Mar 29 2012) >>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >> ________________________________________________________________________ >> 2012-04-03: Python Meeting Duesseldorf 5 days to go >> >> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >> >> >> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >> Registered at Amtsgericht Duesseldorf: HRB 46611 >> http://www.egenix.com/company/contact/ >> _______________________________________________ >> Catalog-SIG mailing list >> Catalog-SIG at python.org >> http://mail.python.org/mailman/listinfo/catalog-sig >> > > > -- > http://www.voidspace.org.uk/ > > > May you do good and not evil > May you find forgiveness for yourself and forgive others > May you share freely, never taking more than you give. > -- the sqlite blessing > http://www.sqlite.org/different.html > > > > > > From dreamabyss at hotmail.com Thu Mar 29 14:32:54 2012 From: dreamabyss at hotmail.com (m t) Date: Thu, 29 Mar 2012 05:32:54 -0700 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: <51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk> References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> <51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk> Message-ID: i partly agree, but i think it's pretty obvious what the intent is the package on pypi has a malicious purpose if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end the aspect of trust was broken, the person and their code become untrustworthy from now on i was one second away from sending my credentials, so i might be biased here :) mt On Mar 29, 2012, at 4:43 AM, Michael Foord wrote: > > On 29 Mar 2012, at 12:37, m t wrote: > >> the other question is whether there are any others in pypi, and how to effectively detect them > > Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question). > > Michael > >> mt >> >> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote: >> >>> >>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote: >>> >>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo. >>>> >>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's. >>>> >>> >>> >>> That's not relevant as to whether or not the package in question should be removed from PyPI though. >>> >>> Michael >>> >>>> Yuval >>>> >>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg wrote: >>>> M.-A. Lemburg wrote: >>>>> Michael Foord wrote: >>>>>> Hello mt, >>>>>> >>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine. >>>>> >>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins >>>>> not to bitbucket, but to the code.thejeshgn.com: >>>>> >>>>> http://code.thejeshgn.com/account/signin/ >>>>> >>>>> Needless to mention that the login info is sent in clear as well... >>>>> >>>>> I think we should inform Atlassian about this. >>>> >>>> Looks like he cloned bitbucket for all his bitbucket repos: >>>> >>>> http://code.thejeshgn.com/ >>>> >>>> and happily proxies requests through his site. >>>> >>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi): >>>>>> >>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503 >>>>>> >>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place: >>>>>> >>>>>> http://www.python.org/community/sigs/current/catalog-sig/ >>>>>> >>>>>> I've copied them in on this email >>>>>> >>>>>> All the best, >>>>>> >>>>>> Michael Foord >>>>>> >>>>>> On 29 Mar 2012, at 11:15, m t wrote: >>>>>> >>>>>>> hi, >>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails: >>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1 >>>>>>> >>>>>>> might want to look into it, >>>>>>> mt >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://www.voidspace.org.uk/ >>>>>> >>>>>> >>>>>> May you do good and not evil >>>>>> May you find forgiveness for yourself and forgive others >>>>>> May you share freely, never taking more than you give. >>>>>> -- the sqlite blessing >>>>>> http://www.sqlite.org/different.html >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Catalog-SIG mailing list >>>>>> Catalog-SIG at python.org >>>>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>>> >>>> >>>> -- >>>> Marc-Andre Lemburg >>>> eGenix.com >>>> >>>> Professional Python Services directly from the Source (#1, Mar 29 2012) >>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >>>> ________________________________________________________________________ >>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go >>>> >>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >>>> >>>> >>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >>>> Registered at Amtsgericht Duesseldorf: HRB 46611 >>>> http://www.egenix.com/company/contact/ >>>> _______________________________________________ >>>> Catalog-SIG mailing list >>>> Catalog-SIG at python.org >>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>> >>> >>> >>> -- >>> http://www.voidspace.org.uk/ >>> >>> >>> May you do good and not evil >>> May you find forgiveness for yourself and forgive others >>> May you share freely, never taking more than you give. >>> -- the sqlite blessing >>> http://www.sqlite.org/different.html >>> >>> >>> >>> >>> >>> >> >> > > > -- > http://www.voidspace.org.uk/ > > > May you do good and not evil > May you find forgiveness for yourself and forgive others > May you share freely, never taking more than you give. > -- the sqlite blessing > http://www.sqlite.org/different.html > > > > > > From martin at v.loewis.de Thu Mar 29 16:02:16 2012 From: martin at v.loewis.de (martin at v.loewis.de) Date: Thu, 29 Mar 2012 16:02:16 +0200 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> <51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk> Message-ID: <20120329160216.Horde.UNdCLVNNcXdPdGtoAeNEpuA@webmail.df.eu> > i partly agree, but i think it's pretty obvious what the intent is > the package on pypi has a malicious purpose I completely disagree. The package *clearly* has a good intent, and the package author has no malicious plans with it. > if you can't trust the one end of the chain of events, there's no > point in debating the integrity of the other end > the aspect of trust was broken, the person and their code become > untrustworthy from now on > i was one second away from sending my credentials, so i might be > biased here :) And no harm would have been done in sending your credentials - the package author would not have been able to obtain them. Regards, Martin From a.badger at gmail.com Thu Mar 29 17:01:59 2012 From: a.badger at gmail.com (Toshio Kuratomi) Date: Thu, 29 Mar 2012 08:01:59 -0700 Subject: [Catalog-sig] Restart discussion on GNU Public License with version classifiers In-Reply-To: References: <20120315203835.GB11151@unaka.lan> Message-ID: <20120329150159.GF11151@unaka.lan> On Thu, Mar 15, 2012 at 10:41:39PM +0100, Hanno Schlichting wrote: > On Thu, Mar 15, 2012 at 9:38 PM, Toshio Kuratomi wrote: > > Last time there were discussions around whether to place the version > > information in a subsequent field. ?Despite the discussion about this, > > a subsequent license has been added to the catalog where the version is > > included in the main string [3]_. > > .. [3]: > > http://mail.python.org/pipermail/catalog-sig/2012-January/004186.html > > This was done to match the two existing entries: > > License :: OSI Approved :: Mozilla Public License 1.0 (MPL) > License :: OSI Approved :: Mozilla Public License 1.1 (MPL 1.1) > > So the following was added in the end: > > License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0) > > I think an additional sub-namespace for GPL licenses doesn't really > add anything, so I'd be +1 on the proposal. > Two weeks with no objections raised. Could we have the following added? License :: OSI Approved :: GNU Lesser General Public License v2 (LGPLv2) License :: OSI Approved :: GNU Lesser General Public License v3 (LGPLv3) License :: OSI Approved :: GNU Lesser General Public License v2 or later (LGPLv2+) License :: OSI Approved :: GNU Lesser General Public License v3 or later (LGPLv3+) License :: OSI Approved :: GNU General Public License v2 (GPLv2) License :: OSI Approved :: GNU General Public License v3 (GPLv3) License :: OSI Approved :: GNU General Public License v2 or later (GPLv2+) License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+) License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+) Thank you, -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From dreamabyss at hotmail.com Fri Mar 30 02:11:49 2012 From: dreamabyss at hotmail.com (m t) Date: Thu, 29 Mar 2012 17:11:49 -0700 Subject: [Catalog-sig] bad package that's fishing bitbucket emails In-Reply-To: <3623DA97-442A-4684-8775-B5BA23B6C217@voidspace.org.uk> References: <4F743E07.20005@egenix.com> <4F743FD9.7060504@egenix.com> <51806C16-DAE7-49EA-9280-0DE689D49F7E@voidspace.org.uk> <3623DA97-442A-4684-8775-B5BA23B6C217@voidspace.org.uk> Message-ID: hi, yuval and michael were right (attached below is bitbucket's reply), i definitely over-reacted hopefully there is some way for you guys to automatically detect nefarious packages from entering pypi thanks for the communication, top-notch good job with the feedback and discussion, mt and here is bitbucket's reply to my notifying them of that repo: Brodie Rao, Mar 29 13:07 (PDT): Hi mt, I don't think that user's phishing; he's just using our CNAME feature that lets him point a domain name to his Bitbucket profile and repositories. You'll get different opinions from other people on the Bitbucket team, but I'm personally not a fan of the feature because of the confusing security implications it has (as you've found out). It does indeed lead you to log into the site using his domain name. We may look into improving how logins work on CNAMEs in the future. For now, you can still view his repositories on bitbucket.org directly. I recommend doing that if you don't trust the owner of the domain name. If you have any other questions, let me know. Thanks, Brodie -------------- next part -------------- An HTML attachment was scrubbed... URL: