[Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI (original) (raw)

Victor Stinner victor.stinner at gmail.com
Fri Sep 15 17:16:34 EDT 2017

• Previous message (by thread): [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
• Next message (by thread): [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

An idea for typo squatting would be to compute the Levenshtein distance with package names of standard library and top 100 most popular PyPI packages, and require to contact a moderation team if the name is too close to an existing package. The moderation team will review the email, but also watch the package during 1 month to check if everything seems fine.

It requires to have a list of all package names of the standard library, and maintain an up to date list of popular PyPI package names.

It also requires to set up a mailing list, and tooling to report the error message to users, and then give moderators the right to create the package. I'm not sure that it's easy to implement it.

Victor

• Previous message (by thread): [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
• Next message (by thread): [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list