E3V3A
commented
5 years ago Good point! How do you remove something like this from there?
Open sheecegardezi opened 6 years ago
E3V3A
commented
5 years ago Good point! How do you remove something like this from there?
ncoghlan
commented
5 years ago The preferred path for security notifications is emailing security@python.org directly, as per https://pypi.org/security/
However, since there isn't a clear builtin system for reporting problematic packages at this stage, and this ticket already exists, I'll just let @ewdurbin know about it as the PSF's Director of Infrastructure.
E3V3A
commented
5 years ago However, since there isn't a clear builtin system for reporting problematic packages
:scream: That is quite discomforting to know. So next time someone pushes some malware to pypi, it will take days or weeks to get rid of it? -- Good to know!
ewdurbin
commented
5 years ago It's not clear to me if removal of this project is specified under PEP 541, closest clause is Invalid Projects but I'm not sure if there is sufficient claim to any of the criteria.
gaborbernat
commented
5 years ago Indeed only the e-mail domain has been compromised and the package is no malware. While arguably contacting the original author is non trivial it should be still possible that he will turn up.
sheecegardezi
commented
5 years ago I should have elaborated about the web link: At the projects github profile [https://github.com/twz915/excel] there is a link [http://www.tuweizhong.com] this is supposed to point to the projects website which contains information regarding the project itself. But it is a replica of w3.schools.com
This is typical example of increasing incoming web-links to increasing ranking of a website in search engine.
As per PEP 541 its an Invalid projects, following clauses are being checked: project is name squatting (package has no functionality or is empty); project is abusing the Package Index for purposes it was not intended.
And also it full filling all the check boxes for an Abandoned project.
I recently started working on legacy code, where we were using python 2.6 and excel==0.7.2 I wanted to search if somebody was maintaining excel. I wanted to upgrade to python 3.x+This lead me to excel 1.0.0 on PyPI. Link to GitHub: https://github.com/twz915/excel/blob/master/excel/xlrd_shortcuts.py It's nowhere complete or the extension of the original work. It's just a wrapper over xlrd. Encapsulating 1 function and 4 variable from xlrd. Secondly, the link to the website(replica of www.w3schools.com) and email addresses have both been compromised. This package excel==1.0.0 should remove the PyPI repository.