On 29 Mar 2012, at 13:32, m t wrote: > i partly agree, but i think it's pretty obvious what the intent is > the package on pypi has a malicious purpose > if you can't trust the one end of the chain of events, there's no point in > debating the integrity of the other end > the aspect of trust was broken, the person and their code become > untrustworthy from now on > i was one second away from sending my credentials, so i might be biased here > :)
It seems like the project is using a deliberate bitbucket feature and is unlikely to be either malicious or unethical. All the best, Michael > mt > > On Mar 29, 2012, at 4:43 AM, Michael Foord wrote: > >> >> On 29 Mar 2012, at 12:37, m t wrote: >> >>> the other question is whether there are any others in pypi, and how to >>> effectively detect them >> >> Even if the package hosting is unethical it doesn't mean we *must* remove >> them from pypi. We should only do that if it is malicious (of course if we >> can't *tell* whether or not it is malicious it becomes a difficult question). >> >> Michael >> >>> mt >>> >>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote: >>> >>>> >>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote: >>>> >>>>> I really dislike this tomfoolery with bitbucket, you can see that >>>>> jgrid.org is also a DNS redirection or something. It's bad security >>>>> practice by bitbucket to allow this imo. >>>>> >>>>> Users should be trained for consistent address bars with HTTPS only, not >>>>> all these useless copies with strange url's. >>>>> >>>> >>>> >>>> That's not relevant as to whether or not the package in question should be >>>> removed from PyPI though. >>>> >>>> Michael >>>> >>>>> Yuval >>>>> >>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <[email protected]> wrote: >>>>> M.-A. Lemburg wrote: >>>>>> Michael Foord wrote: >>>>>>> Hello mt, >>>>>>> >>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the >>>>>>> Python package *seems* genuine. >>>>>> >>>>>> The site hosts an illegal copy of the bitbucket site and redirects the >>>>>> logins >>>>>> not to bitbucket, but to the code.thejeshgn.com: >>>>>> >>>>>> http://code.thejeshgn.com/account/signin/ >>>>>> >>>>>> Needless to mention that the login info is sent in clear as well... >>>>>> >>>>>> I think we should inform Atlassian about this. >>>>> >>>>> Looks like he cloned bitbucket for all his bitbucket repos: >>>>> >>>>> http://code.thejeshgn.com/ >>>>> >>>>> and happily proxies requests through his site. >>>>> >>>>>>> The correct place to report issues with pypi is the tracker (no-one on >>>>>>> this webmaster alias is involved in the administration of pypi): >>>>>>> >>>>>>> http://sourceforge.net/tracker/?group_id=66150&atid=513503 >>>>>>> >>>>>>> For *discussing* PyPI issues, which seems wise for this particular >>>>>>> question, the catalog-sig email list is the right place: >>>>>>> >>>>>>> http://www.python.org/community/sigs/current/catalog-sig/ >>>>>>> >>>>>>> I've copied them in on this email >>>>>>> >>>>>>> All the best, >>>>>>> >>>>>>> Michael Foord >>>>>>> >>>>>>> On 29 Mar 2012, at 11:15, m t wrote: >>>>>>> >>>>>>>> hi, >>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site >>>>>>>> that fishes bitbucket emails: >>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1 >>>>>>>> >>>>>>>> might want to look into it, >>>>>>>> mt >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> http://www.voidspace.org.uk/ >>>>>>> >>>>>>> >>>>>>> May you do good and not evil >>>>>>> May you find forgiveness for yourself and forgive others >>>>>>> May you share freely, never taking more than you give. >>>>>>> -- the sqlite blessing >>>>>>> http://www.sqlite.org/different.html >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Catalog-SIG mailing list >>>>>>> [email protected] >>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>>>> >>>>> >>>>> -- >>>>> Marc-Andre Lemburg >>>>> eGenix.com >>>>> >>>>> Professional Python Services directly from the Source (#1, Mar 29 2012) >>>>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >>>>> ________________________________________________________________________ >>>>> 2012-04-03: Python Meeting Duesseldorf 5 days to go >>>>> >>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >>>>> >>>>> >>>>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >>>>> Registered at Amtsgericht Duesseldorf: HRB 46611 >>>>> http://www.egenix.com/company/contact/ >>>>> _______________________________________________ >>>>> Catalog-SIG mailing list >>>>> [email protected] >>>>> http://mail.python.org/mailman/listinfo/catalog-sig >>>>> >>>> >>>> >>>> -- >>>> http://www.voidspace.org.uk/ >>>> >>>> >>>> May you do good and not evil >>>> May you find forgiveness for yourself and forgive others >>>> May you share freely, never taking more than you give. >>>> -- the sqlite blessing >>>> http://www.sqlite.org/different.html >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >> >> >> -- >> http://www.voidspace.org.uk/ >> >> >> May you do good and not evil >> May you find forgiveness for yourself and forgive others >> May you share freely, never taking more than you give. >> -- the sqlite blessing >> http://www.sqlite.org/different.html >> >> >> >> >> >> > > -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
