[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Developers are advised to purge these malicious packages

Christian Heimes <christian at python.org> writes:
> On 04/12/2019 18.59, David Lowry-Duda wrote:
>> I notice that "python3-dateutil" is in over 4000 github repositories 
>> [1]. That sounds like a disaster.
>> [1]: https://github.com/search?q=python3-dateutil&type=Code
> At least the first pages are packaging files for Debian, Fedora, and
> other Linux distributions. Downstream distributions provide a Python
> package under multiple names. For example the Fedora's build spec [1]
> creates python2-dateutil and python3-dateutil packages from the
> python-dateutil upstream project.
> Attackers abuse the fact and try to typo-squat packages in hope that
> somebody uses the Linux distribution package name "python3-dateutil"
> instead of the upstream name "python-dateutil" in requirements.txt
Nice explanation. Thanks.