[Distutils] Malicious packages on PyPI
Matt Joyce
matt at nycresistor.com
Thu Jun 1 20:15:59 EDT 2017
Or start doing signed pgp for package maintainers and build a transitive
trust model.
On Jun 1, 2017 8:14 PM, wrote:
Force packages to match their higher level import namespace in future major
Python versions and PEP it.
On Jun 1, 2017 7:37 PM, "Noah Kantrowitz" <noah at coderanger.net> wrote:
> On Jun 1, 2017, at 4:00 PM, Nick Timkovich <prometheus235 at gmail.com>
wrote:
>
> This issue was also brought up in January at https://github.com/pypa/pypi-
legacy/issues/585 then just as after the initial "typosquatting PyPI"
report (June 2016) it's met with resounding silence. Attacking the
messenger doesn't seem like a winning move from a security standpoint.
>
> Can we come up with a plan to address the underlying issue and protect
users?
If you have a systemic solution I'm sure we would love to hear it :)
--Noah
_______________________________________________
Distutils-SIG maillist - Distutils-SIG at python.org
https://mail.python.org/mailman/listinfo/distutils-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/1be7fe7b/attachment.html>
More information about the Distutils-SIG
mailing list