I agree with Martin. This security event is of no consequence to us, because we use the libraries included in Python.
It reminds us too that we should avoid adding dependencies on untrusted source code, and especially be wary of adding any use of pypi. On Thu, Jan 23, 2020 at 07:54:07PM -0300, Martin Abente wrote: > "The first is "python3-dateutil," which imitated the popular "dateutil" > library. The second is "jeIlyfish" (the first L is an I), which mimicked the > "jellyfish" library." > > If you read that carefully, it says these 2 libraries imitated the real > libraries. It does not say that the original libraries were compromised. > > On Thu, Jan 23, 2020 at 7:50 PM Chihurumnaya Ibiam <[1] > ibiamchihurumn...@gmail.com> wrote: > > Dateutil has been found to contain malicious code, a github search shows > 10+ uses of dateutil in Sugar Labs repos. > > You can read more about it here > [2]https://www.zdnet.com/article/ > two-malicious-python-libraries-removed-from-pypi/ > _______________________________________________ > Sugar-devel mailing list > [3]Sugar-devel@lists.sugarlabs.org > [4]http://lists.sugarlabs.org/listinfo/sugar-devel > > References: > > [1] mailto:ibiamchihurumn...@gmail.com > [2] > https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/ > [3] mailto:Sugar-devel@lists.sugarlabs.org > [4] http://lists.sugarlabs.org/listinfo/sugar-devel > _______________________________________________ > Sugar-devel mailing list > Sugar-devel@lists.sugarlabs.org > http://lists.sugarlabs.org/listinfo/sugar-devel -- James Cameron http://quozl.netrek.org/ _______________________________________________ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel