This is not how I imagined seeing my name in shini...
# randomb
bitter-ability-32190
11/11/2023, 1:11 PMThis is not how I imagined seeing my name in shining lights...
https://blog.orsinium.dev/posts/py/pypi-squatting/
π 1
g
gorgeous-winter-99296
11/11/2023, 1:16 PMAt least you've been filtered out as a false positive in the final list π
b
bitter-ability-32190
11/11/2023, 1:18 PMI noticed that!
bitter-ability-32190
11/11/2023, 1:19 PMI'm also the 16th most profilific package publisher on PyPI π
π² 3
w
wide-midnight-78598
11/11/2023, 11:08 PMThis is why I like the approach NodeJS has gone, with organizations prefixing their org id and then the package ID.
Leads to org squatting, but I think that's a bit easier to deal with overall.
Cargo, Pypi, and all of those non-namespaced package managers are getting more annoying day after day.
f
flat-zoo-31952
11/12/2023, 3:41 PMHonestly (and this is weird to say)... I think Maven got this right
e
early-jelly-55072
11/24/2023, 6:10 PMIsnβt the missing ingredient confirming who made the package via signing? I guess there are ways of breaking that, too, without someone taking on the job of verifying authenticity of the builder.
f
flat-zoo-31952
11/24/2023, 6:23 PMPackage signing prevents certain kinds of takeovers, but only in the sense of "I can verify that these packages were published by an entity with access to the same private key". Private key custody is one obvious thing it tells you little about, but even worse it does nothing at all to combat typosquatting or other forms of attacks that don't rely on contaminating an actual package
flat-zoo-31952
11/24/2023, 6:26 PMMaven does a great job of preventing this by requiring that you prove you own a domain before you can publish to the namespace corresponsding to that domain. E.g. you have to prove you own example.com if you want to publish artifacts namespaced to
com.exampleflat-zoo-31952
11/24/2023, 6:28 PMBut all this means that your ability to name squat Maven Central is limited by your ability to name-squat domain names
flat-zoo-31952
11/24/2023, 6:29 PMNobody would mistakenly download
ru.yandex.andπ§ 1
e
early-jelly-55072
11/24/2023, 6:31 PMyeah. One has to say I only trust this private key to publish this package to squash typosquatting. How does one discover a trusted packager in the first place? Even domains can be typosquatted.
f
flat-zoo-31952
11/24/2023, 6:31 PMDistro vendors use signed packages, but there's a chain-of-trust model there that is afforded by their more centralized management. I think language package ecosystem maintainers have different goals and don't want to maintain a vetted list of known trusted publishers
ππ½ 1
e
early-jelly-55072
11/24/2023, 6:31 PMMaybe
pip install requestsf
flat-zoo-31952
11/24/2023, 6:32 PMOr just
pip install org.python-requests:requestsflat-zoo-31952
11/24/2023, 6:33 PMI'm not saying we should all use Maven either. It's just one thing that Maven and the modern JVM ecosystem it built got right. And virtually all other language package ecosystems got wrong (IMO)
e
early-jelly-55072
11/24/2023, 6:33 PMpip install org.python-reguests:reguestsearly-jelly-55072
11/24/2023, 6:33 PMThen you have to have TWO typos to get 0wn3d.
f
flat-zoo-31952
11/24/2023, 6:34 PMexactly
flat-zoo-31952
11/24/2023, 6:34 PMnot impossible, but harder
e
early-jelly-55072
11/24/2023, 6:35 PMpip install org.paid-someone-to-protect-me:requestsf
flat-zoo-31952
11/24/2023, 6:35 PMalso you need a credit card to register a domain, and while there's no shortage of shady ways to own a domain, it's more paperwork
ππ½ 1
e
early-jelly-55072
11/24/2023, 6:35 PMIt is all about raising the bar.
f
flat-zoo-31952
11/24/2023, 6:37 PMBut it's also too late probably. It's a big breaking change
3 Views