[Catalog-sig] bad package that's fishing bitbucket emails
Michael Foord
michael at voidspace.org.uk
Thu Mar 29 14:35:39 CEST 2012
On 29 Mar 2012, at 13:32, m t wrote:
> i partly agree, but i think it's pretty obvious what the intent is
> the package on pypi has a malicious purpose
> if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end
> the aspect of trust was broken, the person and their code become untrustworthy from now on
> i was one second away from sending my credentials, so i might be biased here :)
It seems like the project is using a deliberate bitbucket feature and is unlikely to be either malicious or unethical.
All the best,
Michael
> mt
>
> On Mar 29, 2012, at 4:43 AM, Michael Foord wrote:
>
>>
>> On 29 Mar 2012, at 12:37, m t wrote:
>>
>>> the other question is whether there are any others in pypi, and how to effectively detect them
>>
>> Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
>>
>> Michael
>>
>>> mt
>>>
>>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>>>
>>>>
>>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>>>
>>>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>>>
>>>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>>>
>>>>
>>>>
>>>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>>>
>>>> Michael
>>>>
>>>>> Yuval
>>>>>
>>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>>>> M.-A. Lemburg wrote:
>>>>>> Michael Foord wrote:
>>>>>>> Hello mt,
>>>>>>>
>>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>>>
>>>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>>>
>>>>>> http://code.thejeshgn.com/account/signin/
>>>>>>
>>>>>> Needless to mention that the login info is sent in clear as well...
>>>>>>
>>>>>> I think we should inform Atlassian about this.
>>>>>
>>>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>>>
>>>>> http://code.thejeshgn.com/
>>>>>
>>>>> and happily proxies requests through his site.
>>>>>
>>>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>>>
>>>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>>>
>>>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>>>
>>>>>>> http://www.python.org/community/sigs/current/catalog-sig/
>>>>>>>
>>>>>>> I've copied them in on this email
>>>>>>>
>>>>>>> All the best,
>>>>>>>
>>>>>>> Michael Foord
>>>>>>>
>>>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>>>
>>>>>>>> hi,
>>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>>>
>>>>>>>> might want to look into it,
>>>>>>>> mt
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> http://www.voidspace.org.uk/
>>>>>>>
>>>>>>>
>>>>>>> May you do good and not evil
>>>>>>> May you find forgiveness for yourself and forgive others
>>>>>>> May you share freely, never taking more than you give.
>>>>>>> -- the sqlite blessing
>>>>>>> http://www.sqlite.org/different.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Catalog-SIG mailing list
>>>>>>> Catalog-SIG at python.org
>>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>>
>>>>>
>>>>> --
>>>>> Marc-Andre Lemburg
>>>>> eGenix.com
>>>>>
>>>>> Professional Python Services directly from the Source (#1, Mar 29 2012)
>>>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
>>>>> ________________________________________________________________________
>>>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go
>>>>>
>>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>>>
>>>>>
>>>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
>>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>>>> Registered at Amtsgericht Duesseldorf: HRB 46611
>>>>> http://www.egenix.com/company/contact/
>>>>> _______________________________________________
>>>>> Catalog-SIG mailing list
>>>>> Catalog-SIG at python.org
>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>
>>>>
>>>>
>>>> --
>>>> http://www.voidspace.org.uk/
>>>>
>>>>
>>>> May you do good and not evil
>>>> May you find forgiveness for yourself and forgive others
>>>> May you share freely, never taking more than you give.
>>>> -- the sqlite blessing
>>>> http://www.sqlite.org/different.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>>
>
>
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html
More information about the Catalog-SIG
mailing list