[Catalog-sig] bad package that's fishing bitbucket emails

Michael Foord michael at voidspace.org.uk
Thu Mar 29 14:35:39 CEST 2012 

On 29 Mar 2012, at 13:32, m t wrote:

> i partly agree, but i think it's pretty obvious what the intent is
> the package on pypi has a malicious purpose
> if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end
> the aspect of trust was broken, the person and their code become untrustworthy from now on
> i was one second away from sending my credentials, so i might be biased here :)

It seems like the project is using a deliberate bitbucket feature and is unlikely to be either malicious or unethical.

All the best,

Michael

> mt
> 
> On Mar 29, 2012, at 4:43 AM, Michael Foord wrote:
> 
>> 
>> On 29 Mar 2012, at 12:37, m t wrote:
>> 
>>> the other question is whether there are any others in pypi, and how to effectively detect them
>> 
>> Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
>> 
>> Michael
>> 
>>> mt
>>> 
>>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>>> 
>>>> 
>>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>>> 
>>>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>>> 
>>>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>>> 
>>>> 
>>>> 
>>>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>>> 
>>>> Michael
>>>> 
>>>>> Yuval
>>>>> 
>>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>>>> M.-A. Lemburg wrote:
>>>>>> Michael Foord wrote:
>>>>>>> Hello mt,
>>>>>>> 
>>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>>> 
>>>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>>> 
>>>>>> http://code.thejeshgn.com/account/signin/
>>>>>> 
>>>>>> Needless to mention that the login info is sent in clear as well...
>>>>>> 
>>>>>> I think we should inform Atlassian about this.
>>>>> 
>>>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>>> 
>>>>> http://code.thejeshgn.com/
>>>>> 
>>>>> and happily proxies requests through his site.
>>>>> 
>>>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>>> 
>>>>>>>  http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>>> 
>>>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>>> 
>>>>>>>  http://www.python.org/community/sigs/current/catalog-sig/
>>>>>>> 
>>>>>>> I've copied them in on this email
>>>>>>> 
>>>>>>> All the best,
>>>>>>> 
>>>>>>> Michael Foord
>>>>>>> 
>>>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>>> 
>>>>>>>> hi,
>>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>>> 
>>>>>>>> might want to look into it,
>>>>>>>> mt
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> http://www.voidspace.org.uk/
>>>>>>> 
>>>>>>> 
>>>>>>> May you do good and not evil
>>>>>>> May you find forgiveness for yourself and forgive others
>>>>>>> May you share freely, never taking more than you give.
>>>>>>> -- the sqlite blessing
>>>>>>> http://www.sqlite.org/different.html
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Catalog-SIG mailing list
>>>>>>> Catalog-SIG at python.org
>>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>> 
>>>>> 
>>>>> --
>>>>> Marc-Andre Lemburg
>>>>> eGenix.com
>>>>> 
>>>>> Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>>>>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>>>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>>>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
>>>>> ________________________________________________________________________
>>>>> 2012-04-03: Python Meeting Duesseldorf                      5 days to go
>>>>> 
>>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>>> 
>>>>> 
>>>>> eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>>>>       Registered at Amtsgericht Duesseldorf: HRB 46611
>>>>>           http://www.egenix.com/company/contact/
>>>>> _______________________________________________
>>>>> Catalog-SIG mailing list
>>>>> Catalog-SIG at python.org
>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>> 
>>>> 
>>>> 
>>>> --
>>>> http://www.voidspace.org.uk/
>>>> 
>>>> 
>>>> May you do good and not evil
>>>> May you find forgiveness for yourself and forgive others
>>>> May you share freely, never taking more than you give.
>>>> -- the sqlite blessing 
>>>> http://www.sqlite.org/different.html
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>> 
>> 
>> --
>> http://www.voidspace.org.uk/
>> 
>> 
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing 
>> http://www.sqlite.org/different.html
>> 
>> 
>> 
>> 
>> 
>> 
> 
> 


--
http://www.voidspace.org.uk/


May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing 
http://www.sqlite.org/different.html

More information about the Catalog-SIG mailing list