Re: Open source archives hosting malicious software packages

First cut at a script to check new CPAN packages: https://github.com/neilb/cpan-watcher At the moment it just flags: Package names that are confusable with packages in other dists Package names which don’t come under the expected main package name

Re: Open source archives hosting malicious software packages

On Fri, 22 Sep 2017 01:00:22 +1200 Kent Fredric wrote: > On 22 September 2017 at 00:11, David Cantrell > wrote: > > > But is anyone paying attention? I assume you're talking about > > #cpantesters, which I'm on, but I hardly ever look at it, and

Re: Open source archives hosting malicious software packages

On 22 September 2017 at 00:11, David Cantrell wrote: > But is anyone paying attention? I assume you're talking about > #cpantesters, which I'm on, but I hardly ever look at it, and when I do > look I certainly don't look at scrollback, let alone looking at > scrollback

Re: Open source archives hosting malicious software packages

On Wed, Sep 20, 2017 at 11:13:50PM +0100, David Precious wrote: > One thing I thing is good to consider is the fact that all CPAN releases > get announced on a quite populated IRC channel, increasing the chance of > someone spotting a release announcement and thinking "hmm, that looks > dodgy" -

Re: Open source archives hosting malicious software packages

On 21 September 2017 at 20:24, Neil Bowers wrote: > I’ll tweak my script to not worry about packages in the same distribution > (eg Acme::Flat::GV and Acme::Flat::HV). Then I just need to get a list of > new packages each day, and I’m just about there :-) I'd probably

Re: Open source archives hosting malicious software packages

> Would anyone know of any prior art for detection of "short edit distances"? > (Perhaps even already on CPAN?) As David & Zefram pointed out, Levenshtein is the classic algorithm for this, but there are plenty of others; in the SEE ALSO for Text::Levenshtein I’ve listed at least some of the

Re: Open source archives hosting malicious software packages

James E Keenan wrote: >Would anyone know of any prior art for detection of "short edit distances"? >(Perhaps even already on CPAN?) Text::Levenshtein. -zefram

Re: Open source archives hosting malicious software packages

On Wed, 20 Sep 2017 18:08:34 -0400 James E Keenan wrote: > On 09/20/2017 06:01 PM, Neil Bowers wrote: > > One thing we could do is have a tool looking at newly registered > > package names and alert the PAUSE admins to have a look at any that > > are a short edit distance from

Re: Open source archives hosting malicious software packages

On 09/20/2017 06:01 PM, Neil Bowers wrote: http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/Would CPAN be subject to the same problem as described in the article above? Yes. DBI::Class, for example, could be a typo for DBIx::Class or a misremembered

Re: Open source archives hosting malicious software packages

>> http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/Would >> CPAN be subject to the same problem as described in the article above? > > Yes. > > DBI::Class, for example, could be a typo for DBIx::Class or a > misremembered Class::DBI, and there's nothing

Re: Open source archives hosting malicious software packages

On Fri, Sep 15, 2017 at 07:11:49PM -0400, James E Keenan wrote: > http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/ > > Would CPAN be subject to the same problem as described in the article above? Yes. DBI::Class, for example, could be a typo for DBIx::Class

Open source archives hosting malicious software packages

http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/ Would CPAN be subject to the same problem as described in the article above?