[Distutils] Malicious packages on PyPI
Wes Turner
wes.turner at gmail.com
Fri Jun 2 08:25:45 EDT 2017
On Thursday, June 1, 2017, Matt Joyce <matt at nycresistor.com> wrote:
> Force packages to match their higher level import namespace in future
> major Python versions and PEP it.
>
__import__('siht'[::-1])
Though static analysis would still be great.
>
> On Jun 1, 2017 7:37 PM, "Noah Kantrowitz" <noah at coderanger.net
> <javascript:_e(%7B%7D,'cvml','noah at coderanger.net');>> wrote:
>
>>
>> > On Jun 1, 2017, at 4:00 PM, Nick Timkovich <prometheus235 at gmail.com
>> <javascript:_e(%7B%7D,'cvml','prometheus235 at gmail.com');>> wrote:
>> >
>> > This issue was also brought up in January at
>> https://github.com/pypa/pypi-legacy/issues/585 then just as after the
>> initial "typosquatting PyPI" report (June 2016) it's met with resounding
>> silence. Attacking the messenger doesn't seem like a winning move from a
>> security standpoint.
>> >
>> > Can we come up with a plan to address the underlying issue and protect
>> users?
>>
>> If you have a systemic solution I'm sure we would love to hear it :)
>>
>> --Noah
>>
>>
>>
>> _______________________________________________
>> Distutils-SIG maillist - Distutils-SIG at python.org
>> <javascript:_e(%7B%7D,'cvml','Distutils-SIG at python.org');>
>> https://mail.python.org/mailman/listinfo/distutils-sig
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170602/06295d63/attachment.html>
More information about the Distutils-SIG
mailing list