colby-swandale
commented
6 years ago This would have to be implemented in rubygems so i suggest opening this issue there instead https://github.com/rubygems/rubygems
Closed ghost closed 6 years ago
colby-swandale
commented
6 years ago This would have to be implemented in rubygems so i suggest opening this issue there instead https://github.com/rubygems/rubygems
I was just reading: https://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/
Typo names such as "acqusition" rather than "acquisition" or "setup-tools" rather than "setuptools". Or perhaps "bundle" or "bundlre" versus "bundler". :D
I am not sure if this is any real issue or not.
In ruby we have the gem did_you_mean which can be quite helpful.
Perhaps for the top 100 gems or so, some typo-checking could or should be enabled?
Alternatively, a script could perhaps be used to check for some typos based on some heuristics, and to monitor package uploads. On second though, perhaps this is not worth the time investment, but I just wanted to post it anyway - feel free to close it whenever wanted.
Some of the comments in the article are not totally convincing:
"These packages have been downloaded multiple times since they were first uploaded in June 2017, SK-CSIRT said"
If one can not distinguish between bot-downloads and human downloads. I think that most of my gems are downloaded by bots/scripts, but I have also had real people use or download some of my gems - I know that because some reported problems via email to me and in all these cases, they were right; there were problems in these gems. I have yet have a bot report problems to me like that ... :P