I agree with Martin. This security event is of no consequence to us,
because we use the libraries included in Python.
It reminds us too that we should avoid adding dependencies on
untrusted source code, and especially be wary of adding any use of
pypi.
On Thu, Jan 23, 2020 at 07:54:07PM -0300,
On Behalf Of
Chihurumnaya Ibiam
Sent: 23 January 2020 22:50
To: Sugar-dev Devel
Subject: [Sugar-devel] Malicious code in dateutil
Dateutil has been found to contain malicious code, a github search shows 10+
uses of dateutil in Sugar Labs repos.
You can read more about it here
https
*"The first is "python3-dateutil," which imitated the popular "dateutil"
library. The second is "jeIlyfish" (the first L is an I), which mimicked
the "jellyfish" library."*
If you read that carefully, it says these 2 libraries imitated the real
libraries. It does not say that the original
Dateutil has been found to contain malicious code, a github search shows
10+ uses of dateutil in Sugar Labs repos.
You can read more about it here
https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/
___
Sugar-devel mailing
4 matches
Mail list logo