On 2 June 2017 at 09:00, Nick Timkovich <[email protected]> wrote: > This issue was also brought up in January at > https://github.com/pypa/pypi-legacy/issues/585 then just as after the > initial "typosquatting PyPI" report (June 2016) it's met with resounding > silence. Attacking the messenger doesn't seem like a winning move from a > security standpoint. > > Can we come up with a plan to address the underlying issue and protect > users?
I like the suggestion of an auto-generated "common 404" blacklist, where regularly queried-but-nonexistent names can't be registered without prior approval by the PyPI admins or the PSF. Beyond that, one of the biggest challenges we face with the status quo is that it's mainly perceived by commercial redistributors as an opportunity to sell people security scanning and component whitelisting tools, rather than as a shared ecosystem health management problem to be addressed collectively :( Cheers, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
