For a first few passes, if the 404-blacklist is sufficiently lax (strict?), only *extremely* common mistypes like "isx" or "requjests" should be caught. The slow response time would then be good as it would force users to think long and hard about if they really want such strange names and/or make some lazy malicious users give up. ;)
On Fri, Jun 2, 2017 at 8:05 AM, Nick Coghlan <[email protected]> wrote: > On 2 June 2017 at 19:42, Richard Jones <[email protected]> wrote: > > On 2 June 2017 at 18:05, Nick Coghlan <[email protected]> wrote: > >> > >> On 2 June 2017 at 09:00, Nick Timkovich <[email protected]> > wrote: > >> > This issue was also brought up in January at > >> > https://github.com/pypa/pypi-legacy/issues/585 then just as after the > >> > initial "typosquatting PyPI" report (June 2016) it's met with > resounding > >> > silence. Attacking the messenger doesn't seem like a winning move > from a > >> > security standpoint. > >> > > >> > Can we come up with a plan to address the underlying issue and protect > >> > users? > >> > >> I like the suggestion of an auto-generated "common 404" blacklist, > >> where regularly queried-but-nonexistent names can't be registered > >> without prior approval by the PyPI admins or the PSF. > > > > I like it also, but it adds an additional administration burden on top of > > that which is not being coped with at the moment. > > > > 117 open issues in https://github.com/pypa/pypi-legacy/issues > > 219 open support tickets in https://sourceforge.net/p/ > pypi/support-requests/ > > Right, to be even remotely viable, any approach would need to be > almost entirely automated, and even then, we'd anticipate a potential > uptick in support requests asking for particular names to be > unblocked. > > In the meantime, I'm OK with our official answer being "This is why > suppliers of component whitelisting and security scanning systems > currently have a viable business model - nobody has figured out how to > do this sustainably at PyPI's scale with purely volunteer effort, and > the PSF's own finances aren't yet in good enough shape to fund it > directly on behalf of the wider community". > > Cheers, > Nick. > > -- > Nick Coghlan | [email protected] | Brisbane, Australia >
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
