On closer examination, those packages do not actually appear to upload any information - they seem to be empty packages placed there to serve as a warning.
It's not clear to me whether the data on the fatezero.org website is from other packages which really do upload data, or if it's fake. On Thu, Jun 1, 2017, at 06:18 PM, Thomas Kluyver wrote: > Are we aware of this? > http://evilpackage.fatezero.org/ > > I recall there were a couple of these before which were taken down, but > someone appears to have made a cookiecutter template so you can very > easily claim names on PyPI, and anyone who installs that package will > submit their information to that site. A couple that are up at the > moment: > > https://pypi.python.org/pypi/requirements-txt/1.1.1 > https://pypi.python.org/pypi/ztz/0.1.1 > > Do we delete them? Do we try to detect similar packages being uploaded > and block them? I suspect it's a waste of time to try to prevent this in > general, but maybe it's worth protecting likely names that people might > 'pip install' by mistake, such as requirements-txt. > > Thomas > _______________________________________________ > Distutils-SIG maillist - [email protected] > https://mail.python.org/mailman/listinfo/distutils-sig _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
