search

pypi / support

Issue tracker for support requests related to using https://pypi.org
95 stars 48 forks source link

PEP 541 Request: pyscopg2 (typo name-squatting) #2879

Open 13steinj opened 1 year ago

13steinj commented 1 year ago

Project to be claimed

pyscopg2: https://pypi.org/project/pyscopg2

Your PyPI username

NA

Reasons for the request

This is a project by Yandex, that name-squats a typo of the psycopg2 package, there is no code. First known upload in Feb 2023.

I don't believe this is a valid package under name-squatting rules.

At any time, it can be overwritten with malware; and as-is, does not show the user any error upon installation.

This was a sad headache for me today that took way longer than it should have :(

Maintenance or replacement?

None

Source code repositories URLs

NA

Contact and additional research

I don't believe I can contact the current owner under current sanctions related to the ongoing war in Ukraine, since this was found as part of work for my current employer? I'm not a lawyer. I don't know the legalities here and I'm yet to hear a response from my own organization's legal department. Under the assumption that I can contact them, I will, but given what I saw as clear-cut name-squatting I did some googling and found this first.

Code of Conduct

highghlow commented 1 year ago

I think this project exists to not allow anyone to insert malicious code into it, which is much worse than a blank project. Yandex probably wouldn't put malicious code on pypi, but probably a better idea would be for pypi to reserve that name and not Yandex.

13steinj commented 1 year ago

I'm fine with PyPI in some fashion reserving the name; but I would hope that pypi does so correctly and triggers an error on install rather than silently "succeeding".

13steinj commented 1 year ago

Bit worse than I thought... yandex has spammed PyPI with over 1000 packages. https://pypi.org/user/yandex-bot/

Many just because yandex themselves uses that name internally. I.e., instead of fixing their protocols to use some kind of pypi mirror first hitting their own server, they decided to spam pypi with over 1k name-squatting packages (and a few typo-name-squatting as well).

highghlow commented 1 year ago

Bit worse than I thought... yandex has spammed PyPI with over 1000 packages. https://pypi.org/user/yandex-bot/

Many just because yandex themselves uses that name internally. I.e., instead of fixing their protocols to use some kind of pypi mirror first hitting their own server, they decided to spam pypi with over 1k name-squatting packages (and a few typo-name-squatting as well).

I saw this, and now I would totaly contant yandex about that. I can't imagine any reason why because of some name used internally they would publish an empty package to pypi.

13steinj commented 1 year ago

I don't know if I legally can contact Yandex what with current sanctions; and I'd have to further follow up with my org's legal.

Either way, by fact that they did this, I don't think I'd get far telling them "you guys are being silly and using pypi wrong, please remove all of these and completely change your internal processes."

I don't think this is an appropriate use of PyPI and simultaneously if the PyPA agrees-- these should really be nuked. But I have no idea if there's a better method of contact than this github issue board.

If PyPA disagrees I'll respect the decision but I'd have to disagree with it; empty packages should never be made IMO. For things like the typo scenario maybe have some way for PyPI to reserve the name, but in doing so trigger an actual error response on-install (I'd imagine even just having only-source packages that raise an exception in setup.py would suffice to trigger an error in pip and other tools).

My issue with yandex doing it over PyP[I|A] is:

There's also the fact that there's 0 guarantee that in the future someone won't want to use one of those names, yandex denies transfer, someone makes a ticket here and has to waste time (I totally get this being volunteer and/or taking time), or even yandex is pressured by local governments to put a backdoor in these packages.

encukou commented 1 month ago

This is not really a PEP 541 request, but: We recommend the PyPI admins remove all projects owned by yandex-bot and marked “A package to prevent Dependency Confusion attacks against Yandex.”, and add them to the prohibited names list.

Disclaimer: We are providing support to the PyPI Administrators to validate this request and make a recommendation on the outcome and actions to be taken. Final determination will be made by the PyPI Administrators when our process is complete.