[Catalog-sig] bad package that's fishing bitbucket emails
Michael Foord
michael at voidspace.org.uk
Thu Mar 29 13:43:58 CEST 2012
On 29 Mar 2012, at 12:37, m t wrote:
> the other question is whether there are any others in pypi, and how to effectively detect them
Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
Michael
> mt
>
> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>
>>
>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>
>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>
>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>
>>
>>
>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>
>> Michael
>>
>>> Yuval
>>>
>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>> M.-A. Lemburg wrote:
>>>> Michael Foord wrote:
>>>>> Hello mt,
>>>>>
>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>
>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>
>>>> http://code.thejeshgn.com/account/signin/
>>>>
>>>> Needless to mention that the login info is sent in clear as well...
>>>>
>>>> I think we should inform Atlassian about this.
>>>
>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>
>>> http://code.thejeshgn.com/
>>>
>>> and happily proxies requests through his site.
>>>
>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>
>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>
>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>
>>>>> http://www.python.org/community/sigs/current/catalog-sig/
>>>>>
>>>>> I've copied them in on this email
>>>>>
>>>>> All the best,
>>>>>
>>>>> Michael Foord
>>>>>
>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>
>>>>>> hi,
>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>
>>>>>> might want to look into it,
>>>>>> mt
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://www.voidspace.org.uk/
>>>>>
>>>>>
>>>>> May you do good and not evil
>>>>> May you find forgiveness for yourself and forgive others
>>>>> May you share freely, never taking more than you give.
>>>>> -- the sqlite blessing
>>>>> http://www.sqlite.org/different.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Catalog-SIG mailing list
>>>>> Catalog-SIG at python.org
>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>
>>>
>>> --
>>> Marc-Andre Lemburg
>>> eGenix.com
>>>
>>> Professional Python Services directly from the Source (#1, Mar 29 2012)
>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
>>> ________________________________________________________________________
>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>>>
>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>
>>>
>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>> Registered at Amtsgericht Duesseldorf: HRB 46611
>>> http://www.egenix.com/company/contact/
>>> _______________________________________________
>>> Catalog-SIG mailing list
>>> Catalog-SIG at python.org
>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>>
>
>
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html
More information about the Catalog-SIG
mailing list