On 2 June 2017 at 19:42, Richard Jones <[email protected]> wrote: > On 2 June 2017 at 18:05, Nick Coghlan <[email protected]> wrote: >> >> On 2 June 2017 at 09:00, Nick Timkovich <[email protected]> wrote: >> > This issue was also brought up in January at >> > https://github.com/pypa/pypi-legacy/issues/585 then just as after the >> > initial "typosquatting PyPI" report (June 2016) it's met with resounding >> > silence. Attacking the messenger doesn't seem like a winning move from a >> > security standpoint. >> > >> > Can we come up with a plan to address the underlying issue and protect >> > users? >> >> I like the suggestion of an auto-generated "common 404" blacklist, >> where regularly queried-but-nonexistent names can't be registered >> without prior approval by the PyPI admins or the PSF. > > I like it also, but it adds an additional administration burden on top of > that which is not being coped with at the moment. > > 117 open issues in https://github.com/pypa/pypi-legacy/issues > 219 open support tickets in https://sourceforge.net/p/pypi/support-requests/
Right, to be even remotely viable, any approach would need to be almost entirely automated, and even then, we'd anticipate a potential uptick in support requests asking for particular names to be unblocked. In the meantime, I'm OK with our official answer being "This is why suppliers of component whitelisting and security scanning systems currently have a viable business model - nobody has figured out how to do this sustainably at PyPI's scale with purely volunteer effort, and the PSF's own finances aren't yet in good enough shape to fund it directly on behalf of the wider community". Cheers, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
