i partly agree, but i think it's pretty obvious what the intent is the package on pypi has a malicious purpose if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end the aspect of trust was broken, the person and their code become untrustworthy from now on i was one second away from sending my credentials, so i might be biased here :) mt
On Mar 29, 2012, at 4:43 AM, Michael Foord wrote: > > On 29 Mar 2012, at 12:37, m t wrote: > >> the other question is whether there are any others in pypi, and how to >> effectively detect them > > Even if the package hosting is unethical it doesn't mean we *must* remove > them from pypi. We should only do that if it is malicious (of course if we > can't *tell* whether or not it is malicious it becomes a difficult question). > > Michael > >> mt >> >> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote: >> >>> >>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote: >>> >>>> I really dislike this tomfoolery with bitbucket, you can see that >>>> jgrid.org is also a DNS redirection or something. It's bad security >>>> practice by bitbucket to allow this imo. >>>> >>>> Users should be trained for consistent address bars with HTTPS only, not >>>> all these useless copies with strange url's. >>>> >>> >>> >>> That's not relevant as to whether or not the package in question should be >>> removed from PyPI though. >>> >>> Michael >>> >>>> Yuval >>>> >>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <[email protected]> wrote: >>>> M.-A. Lemburg wrote: >>>>> Michael Foord wrote: >>>>>> Hello mt, >>>>>> >>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the >>>>>> Python package *seems* genuine. >>>>> >>>>> The site hosts an illegal copy of the bitbucket site and redirects the >>>>> logins >>>>> not to bitbucket, but to the code.thejeshgn.com: >>>>> >>>>> http://code.thejeshgn.com/account/signin/ >>>>> >>>>> Needless to mention that the login info is sent in clear as well... >>>>> >>>>> I think we should inform Atlassian about this. >>>> >>>> Looks like he cloned bitbucket for all his bitbucket repos: >>>> >>>> http://code.thejeshgn.com/ >>>> >>>> and happily proxies requests through his site. >>>> >>>>>> The correct place to report issues with pypi is the tracker (no-one on >>>>>> this webmaster alias is involved in the administration of pypi): >>>>>> >>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503 >>>>>> >>>>>> For *discussing* PyPI issues, which seems wise for this particular >>>>>> question, the catalog-sig email list is the right place: >>>>>> >>>>>> http://www.python.org/community/sigs/current/catalog-sig/ >>>>>> >>>>>> I've copied them in on this email >>>>>> >>>>>> All the best, >>>>>> >>>>>> Michael Foord >>>>>> >>>>>> On 29 Mar 2012, at 11:15, m t wrote: >>>>>> >>>>>>> hi, >>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site >>>>>>> that fishes bitbucket emails: >>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1 >>>>>>> >>>>>>> might want to look into it, >>>>>>> mt >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://www.voidspace.org.uk/ >>>>>> >>>>>> >>>>>> May you do good and not evil >>>>>> May you find forgiveness for yourself and forgive others >>>>>> May you share freely, never taking more than you give. >>>>>> -- the sqlite blessing >>>>>> http://www.sqlite.org/different.html >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Catalog-SIG mailing list >>>>>> [email protected] >>>>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>>> >>>> >>>> -- >>>> Marc-Andre Lemburg >>>> eGenix.com >>>> >>>> Professional Python Services directly from the Source (#1, Mar 29 2012) >>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >>>> ________________________________________________________________________ >>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go >>>> >>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >>>> >>>> >>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >>>> Registered at Amtsgericht Duesseldorf: HRB 46611 >>>> http://www.egenix.com/company/contact/ >>>> _______________________________________________ >>>> Catalog-SIG mailing list >>>> [email protected] >>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>> >>> >>> >>> -- >>> http://www.voidspace.org.uk/ >>> >>> >>> May you do good and not evil >>> May you find forgiveness for yourself and forgive others >>> May you share freely, never taking more than you give. >>> -- the sqlite blessing >>> http://www.sqlite.org/different.html >>> >>> >>> >>> >>> >>> >> >> > > > -- > http://www.voidspace.org.uk/ > > > May you do good and not evil > May you find forgiveness for yourself and forgive others > May you share freely, never taking more than you give. > -- the sqlite blessing > http://www.sqlite.org/different.html > > > > > > _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
