[Distutils] Malicious packages on PyPI
Nick Coghlan
ncoghlan at gmail.com
Fri Jun 2 09:05:53 EDT 2017
On 2 June 2017 at 19:42, Richard Jones <richard at python.org> wrote:
> On 2 June 2017 at 18:05, Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>> On 2 June 2017 at 09:00, Nick Timkovich <prometheus235 at gmail.com> wrote:
>> > This issue was also brought up in January at
>> > https://github.com/pypa/pypi-legacy/issues/585 then just as after the
>> > initial "typosquatting PyPI" report (June 2016) it's met with resounding
>> > silence. Attacking the messenger doesn't seem like a winning move from a
>> > security standpoint.
>> >
>> > Can we come up with a plan to address the underlying issue and protect
>> > users?
>>
>> I like the suggestion of an auto-generated "common 404" blacklist,
>> where regularly queried-but-nonexistent names can't be registered
>> without prior approval by the PyPI admins or the PSF.
>
> I like it also, but it adds an additional administration burden on top of
> that which is not being coped with at the moment.
>
> 117 open issues in https://github.com/pypa/pypi-legacy/issues
> 219 open support tickets in https://sourceforge.net/p/pypi/support-requests/
Right, to be even remotely viable, any approach would need to be
almost entirely automated, and even then, we'd anticipate a potential
uptick in support requests asking for particular names to be
unblocked.
In the meantime, I'm OK with our official answer being "This is why
suppliers of component whitelisting and security scanning systems
currently have a viable business model - nobody has figured out how to
do this sustainably at PyPI's scale with purely volunteer effort, and
the PSF's own finances aren't yet in good enough shape to fund it
directly on behalf of the wider community".
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Distutils-SIG
mailing list