This issue was also brought up in January at https://github.com/pypa/pypi-legacy/issues/585 then just as after the initial "typosquatting PyPI" report (June 2016) it's met with resounding silence. Attacking the messenger doesn't seem like a winning move from a security standpoint.
Can we come up with a plan to address the underlying issue and protect users? Nick On Thu, Jun 1, 2017 at 5:25 PM, Richard Jones <rich...@python.org> wrote: > On 2 June 2017 at 03:40, Thomas Kluyver <tho...@kluyver.me.uk> wrote: > >> On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote: >> There *appear* to be, but I checked several of the names listed there, >> and they're not on PyPI: >> >> https://pypi.python.org/pypi/tkinter >> https://pypi.python.org/pypi/memcached >> https://pypi.python.org/pypi/vtk >> https://pypi.python.org/pypi/python-dev >> https://pypi.python.org/pypi/opencv >> >> So I wonder if the data is fake. Or maybe they were already taken down? >> Or the installations are real, but not using those names. >> > > Yes, we had the author take them down, please see > https://github.com/pypa/pypi-legacy/issues/644 > > > Richard > > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig > >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
