-
Just today I noticed https://hackage.haskell.org/package/wsdl-0.1.0.0 which comes with a
big "DO NOT USE, UNSTABLE AND INCOMPLETE." disclaimer in its description.
IMO, such packages don't belong i…
-
The usage for colout gives a misleading suggestion:
```
$ echo "fubar" | colout "fubar" Green;
[colout] ERROR: Unknown color: Green (maybe you forgot to install python3-pygments?)
$ pip instal…
-
**What's the problem this feature will solve?**
The Python Security Response Team (PSRT) is getting inquiries and security reports regarding malicious content on PyPI regularly. Every now and then …
-
The last meetup went quite short due to the talks that were scheduled, but a number of people stuck around afterwards. Amongst some of the things that we ended up discussing, the idea of formally havi…
-
I'm wondering what the license for typomind would be. In particular, we are thinking of running typomind for all existing packages across multiple package ecosystems and on demand for newly published …
-
Even without the global fallback (which nicely requires the @version specifier), it's still pretty easy to goof up a name and download and execute something completely unexpected (for example ["create…
-
Thank you SO MUCH for your work on the "Principles for Package Repository Security".
Today several of us brainstormed about ways to possible improve it, as part of the CISA OSS Summit. Below are no…
-
http://incolumitas.com/2016/06/08/typosquatting-package-managers/
http://incolumitas.com/data/thesis.pdf
There is a thesis written about achieving RCE through typo squatting on popular package man…
-
-
**Is your feature request related to a problem? Please describe.**
[MITRE's hipcheck](https://github.com/mitre/hipcheck) attempts to analyze OSS to measure security, with a concept similar to Score…