hi, yuval and michael were right (attached below is bitbucket's reply), i definitely over-reacted hopefully there is some way for you guys to automatically detect nefarious packages from entering pypi thanks for the communication, top-notch good job with the feedback and discussion, mt
and here is bitbucket's reply to my notifying them of that repo: Brodie Rao, Mar 29 13:07 (PDT): Hi mt, I don't think that user's phishing; he's just using our CNAME feature that lets him point a domain name to his Bitbucket profile and repositories. You'll get different opinions from other people on the Bitbucket team, but I'm personally not a fan of the feature because of the confusing security implications it has (as you've found out). It does indeed lead you to log into the site using his domain name. We may look into improving how logins work on CNAMEs in the future. For now, you can still view his repositories on bitbucket.org directly. I recommend doing that if you don't trust the owner of the domain name. If you have any other questions, let me know. Thanks, Brodie
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
