[PSF-Community] Dangerous PyPI packages and PSF
Jacqueline Kazil
jackiekazil at gmail.com
Thu May 4 21:50:06 EDT 2017
That is a great observation Bruno!
-Jackie
On Thu, May 4, 2017 at 8:08 PM, Bruno Rocha <rochacbruno at gmail.com> wrote:
> Interesting detail, the mentioned package https://pypi.python.
> org/pypi/python-nation/1.0.1 was created and uploaded by
> Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI
> vulnerabilities or some Infosec experiment.
>
> On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha <rochacbruno at gmail.com> wrote:
>
>> Hi,
>>
>> I just read this on reddit[0], a thread asking if PyPI packages are
>> audited and somebody pointed the `python-nation`[1] which is a harmful and
>> useless module, installing itself and sending the `/etc/passwd` content to
>> external endpoint.
>>
>> The app receiving the data is hosted at http://python-nation.heroku
>> app.com
>>
>> and as the PSF mission [2] says
>>
>> The mission of the Python Software Foundation is to promote, protect, and
>> advance the Python programming language
>>
>> I wonder if there are some workgroup at PSF to handle this? and not only
>> the specific case of `python-nation` which should be deleted and the user
>> banned maybe, But also to handle the audit of other packages?
>>
>>
>> [0] https://www.reddit.com/r/Python/comments/697da2/does_pyp
>> i_review_code_thats_uploaded/
>> [1] https://www.reddit.com/r/Python/comments/697da2/does_pyp
>> i_review_code_thats_uploaded/dh4uyf8/
>> [2] https://www.python.org/psf/mission/
>>
>>
>> Cheers,
>>
>> --
>>
>> *Bruno Rocha - @rochacbruno <http://twitter.com/rochacbruno>*
>> http://brunorocha.org
>>
>>
>
>
> --
>
> *Bruno Rocha - @rochacbruno <http://twitter.com/rochacbruno>*
> http://brunorocha.org
>
>
> _______________________________________________
> PSF-Community mailing list
> PSF-Community at python.org
> https://mail.python.org/mailman/listinfo/psf-community
>
>
--
Jacqueline Kazil | @jackiekazil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/psf-community/attachments/20170504/8ad243d2/attachment.html>
More information about the PSF-Community
mailing list