Warehouse: User report mechanism for projects that damage other packages, don't adhere to guidelines, or are malicious

Created on 4 May 2018  路  10Comments  路  Source: pypa/warehouse

What's the problem this feature will solve?

Searching through PyPi I was not able to find anywhere where I can report a project that either contains malicious code or breaks other packages in the repository by overwriting them. To be clear, I am not talking about reporting issues to the project maintainer. This issue is not asking that PyPi duplicate the efforts of github, but as a distributor of software, PyPi needs some mechanism for consumers of the software to flag software that is malicious or may break other software.

I've come across the case of a package that overwrites another package on purpose - not for malicious intent. But that package broke my project, and uninstalling it did not fix it, because it had overwritten the other package. This is bad practice, and there should be a way to report things like this, beyond to the project maintainer. The maintainer may disagree, or may not be maintaining the project anymore.

Malicious projects: Anyone could upload a project that has malicious code buried in it, and unsuspecting developers may install this package thinking that it is "official" because it is on PyPi. There is a little bit of that expectation, since pip is part of the core python package, that packages you install via pip may be more reliable and adhere to certain standards than packages that you may install from github projects. This expectation is obviously unwarranted, but it may exist in some developers nonetheless.

That being said, there should be at least some reliable way to report or flag a project to PyPi maintainers - not the project maintainer - from the project page, and for people to see complaints about a project and judge for themselves, even if the maintainers of PyPi decide not to remove it. I found nothing.

I think there should be one issue on the pypa warehouse github that covers this, because this query has come up in the past, but gets shoved or related to other sub-issues or related issues that are already closed or more complicated.

Describe the solution you'd like

There should be one issue regarding reporting or flagging projects. It should cover these things (possibly as child issues):

  1. The ability to report or flag a project from the project page.
  2. The ability to see these reports. I.e. - flagged N times (as link). And then clicking on link just displays that list with the name of the reporter, the subject of the issue, maybe a category that includes "other" and a write-in category, and the text of the issue.
  3. Documentation regarding both the fact that projects are not reviewed or inspected by PyPi and how to report or flag projects that are malicious, break other packages, or have some other bad practices.
blocked feature request
Source
picture bitfinity
👍4

Most helpful comment

Thank you very much @mowshon for being alert, I am shocked I fell a victim to this kind of attack.

I have updated my pypi password, and reposted the package under a new name ssh-decorator.
I have also updated the readme of the repository, to make sure my users are also aware of this incident.

Is it possible to automatically identify when pypi packages differ from their github repo, in case this kind of attack occurs again in the future ?

picture urigoren on 7 May 2018
👍4

All 10 comments

Thank you for the thorough report @bitfinity! This is planned to be part of our overall spam detection and mitigation strategy. any mechanism fulfilling #2982 would also be usable for this purpose, or we could merge the concept of spam with this.

ewdurbin picture ewdurbin on 4 May 2018

For example this dude: https://pypi.org/project/ssh-decorate/#files
He log all SSH data from users and send it to his server. And I don't know where I can report him?
_More details: https://github.com/urigoren/ssh_decorator/issues/11_

mowshon picture mowshon on 7 May 2018

Thanks for the report @mowshon, looking into it.

di picture di on 7 May 2018

Thank you very much @mowshon for being alert, I am shocked I fell a victim to this kind of attack.

I have updated my pypi password, and reposted the package under a new name ssh-decorator.
I have also updated the readme of the repository, to make sure my users are also aware of this incident.

Is it possible to automatically identify when pypi packages differ from their github repo, in case this kind of attack occurs again in the future ?

urigoren picture urigoren on 7 May 2018
👍4

@nlhkabu Hi there!

Is this task still available? If you don't mind, I'd give it a shot.

EmilLuta picture EmilLuta on 28 Jul 2018

@EmilLuta I'm not sure on the status of this ticket.
@ewdurbin or @di could you please weigh in on this?

nlhkabu picture nlhkabu on 28 Jul 2018

@nlhkabu I suspect most of the job (for now) is to add a simple flag option for each repository. This way, any user can flag it. With that in mind people could have a curated list of what looks spooky and what might be used.

EmilLuta picture EmilLuta on 28 Jul 2018

This issue is in-progress, sorry!

di picture di on 28 Jul 2018

Owkay. Thanks @di

EmilLuta picture EmilLuta on 28 Jul 2018

As I understand it, this is blocked on #3231.

brainwane picture brainwane on 10 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

toddrme2178 picture toddrme2178  路  3Comments
nlhkabu picture nlhkabu  路  4Comments
Lawouach picture Lawouach  路  3Comments
mbakke picture mbakke  路  3Comments
NathanBnm picture NathanBnm  路  3Comments