Re: Open source archives hosting malicious software packages
On 09/20/2017 06:01 PM, Neil Bowers wrote: http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/Would CPAN be subject to the same problem as described in the article above? Yes. DBI::Class, for example, could be a typo for DBIx::Class or a misremembered Class::DBI, and there's nothing stopping anyone from uploading a DBI::Class package that does all kinds of dodgy stuff. There are plenty of confusable (small edit distance) pairs of module names on CPAN. For example, Algorithm::SVM and Algorithm::VSM AI::POS and AI::PSO both pairs are from different dists. More likely with short acronyms. One thing we could do is have a tool looking at newly registered package names and alert the PAUSE admins to have a look at any that are a short edit distance from an existing package name. Would anyone know of any prior art for detection of "short edit distances"? (Perhaps even already on CPAN?) Thank you very much. Jim Keenan
Re: Open source archives hosting malicious software packages
James E Keenan wrote: >Would anyone know of any prior art for detection of "short edit distances"? >(Perhaps even already on CPAN?) Text::Levenshtein. -zefram
Re: Open source archives hosting malicious software packages
On Wed, 20 Sep 2017 18:08:34 -0400 James E Keenanwrote: > On 09/20/2017 06:01 PM, Neil Bowers wrote: > > One thing we could do is have a tool looking at newly registered > > package names and alert the PAUSE admins to have a look at any that > > are a short edit distance from an existing package name. > > Would anyone know of any prior art for detection of "short edit > distances"? (Perhaps even already on CPAN?) Isn't that just the Levenshtein distance? So e.g. Neil's Text::Levenshtein? One thing I thing is good to consider is the fact that all CPAN releases get announced on a quite populated IRC channel, increasing the chance of someone spotting a release announcement and thinking "hmm, that looks dodgy" - but that's of course not entirely reliable, and doesn't focus only on new releases.
Re: Open source archives hosting malicious software packages
>> http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/Would >> CPAN be subject to the same problem as described in the article above? > > Yes. > > DBI::Class, for example, could be a typo for DBIx::Class or a > misremembered Class::DBI, and there's nothing stopping anyone from > uploading a DBI::Class package that does all kinds of dodgy stuff. There are plenty of confusable (small edit distance) pairs of module names on CPAN. For example, Algorithm::SVM and Algorithm::VSM AI::POS and AI::PSO both pairs are from different dists. More likely with short acronyms. One thing we could do is have a tool looking at newly registered package names and alert the PAUSE admins to have a look at any that are a short edit distance from an existing package name. Neil
Re: Requesting co-maint for MP3-Info
Hi JJ, > > This email is to request co-maintenance for the above mentioned module > > https://metacpan.org/release/MP3-Info in order to make a new CPAN release. > > I’m trying to track down Daniel, to see if we can get his blessing, but his > two email addresses I’ve tried so far have bounced. I’m still working on > another approach, so give me a while please. > > :-) Of course. > > How are things going here? Just a quick reminder. If they're going good, no > need to answer :-) Thanks for the nudge. I had been trying to track Daniel down via email & LinkedIn, but ended up getting the “ok” via twitter: I’ve just given you co-maint, on Daniel’s behalf. Thanks for persisting to get co-maint on this, and thanks to Daniel for giving permission. Cheers, Neil