Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Open source archives hosting malicious software packages
2 views
Skip to first unread message
James E Keenan
Sep 15, 2017, 7:30:02 PM9/15/17
to cpan-w...@perl.org
http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/
Would CPAN be subject to the same problem as described in the article above?
Would CPAN be subject to the same problem as described in the article above?
David Cantrell
Sep 20, 2017, 10:45:02 AM9/20/17
to cpan-w...@perl.org
On Fri, Sep 15, 2017 at 07:11:49PM -0400, James E Keenan wrote:
> http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/
>
> Would CPAN be subject to the same problem as described in the article above?
Yes.
> http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/
>
> Would CPAN be subject to the same problem as described in the article above?
DBI::Class, for example, could be a typo for DBIx::Class or a
misremembered Class::DBI, and there's nothing stopping anyone from
uploading a DBI::Class package that does all kinds of dodgy stuff.
--
David Cantrell | semi-evolved ape-thing
Longum iter est per praecepta, breve et efficax per exempla.
James E Keenan
Sep 20, 2017, 6:15:03 PM9/20/17
to Neil Bowers, David Cantrell, cpan-w...@perl.org, PAUSE Admins
On 09/20/2017 06:01 PM, Neil Bowers wrote:
>>> http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/Would CPAN be subject to the same problem as described in the article above?
>
> For example,
> Algorithm::SVM and Algorithm::VSM
> AI::POS and AI::PSO
> both pairs are from different dists. More likely with short acronyms.
>
> One thing we could do is have a tool looking at newly registered package names and alert the PAUSE admins to have a look at any that are a short edit distance from an existing package name.
>
Would anyone know of any prior art for detection of "short edit
distances"? (Perhaps even already on CPAN?)
Thank you very much.
Jim Keenan
>>> http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/Would CPAN be subject to the same problem as described in the article above?
>>
>> Yes.
>>
>> DBI::Class, for example, could be a typo for DBIx::Class or a
>> misremembered Class::DBI, and there's nothing stopping anyone from
>> uploading a DBI::Class package that does all kinds of dodgy stuff.
>
> There are plenty of confusable (small edit distance) pairs of module names on CPAN.
>> Yes.
>>
>> DBI::Class, for example, could be a typo for DBIx::Class or a
>> misremembered Class::DBI, and there's nothing stopping anyone from
>> uploading a DBI::Class package that does all kinds of dodgy stuff.
>
>
> For example,
> Algorithm::SVM and Algorithm::VSM
> AI::POS and AI::PSO
> both pairs are from different dists. More likely with short acronyms.
>
> One thing we could do is have a tool looking at newly registered package names and alert the PAUSE admins to have a look at any that are a short edit distance from an existing package name.
>
Would anyone know of any prior art for detection of "short edit
distances"? (Perhaps even already on CPAN?)
Thank you very much.
Jim Keenan
Zefram
Sep 20, 2017, 6:30:02 PM9/20/17
to James E Keenan, Neil Bowers, David Cantrell, cpan-w...@perl.org, PAUSE Admins
James E Keenan wrote:
>Would anyone know of any prior art for detection of "short edit distances"?
>(Perhaps even already on CPAN?)
Text::Levenshtein.
>Would anyone know of any prior art for detection of "short edit distances"?
>(Perhaps even already on CPAN?)
-zefram
David Precious
Sep 20, 2017, 6:30:02 PM9/20/17
to James E Keenan, Neil Bowers, David Cantrell, cpan-w...@perl.org, PAUSE Admins
Neil's Text::Levenshtein?
One thing I thing is good to consider is the fact that all CPAN releases
get announced on a quite populated IRC channel, increasing the chance of
someone spotting a release announcement and thinking "hmm, that looks
dodgy" - but that's of course not entirely reliable, and doesn't focus
only on new releases.
David Cantrell
Sep 21, 2017, 8:30:02 AM9/21/17
to cpan-w...@perl.org
On Wed, Sep 20, 2017 at 11:13:50PM +0100, David Precious wrote:
> One thing I thing is good to consider is the fact that all CPAN releases
> get announced on a quite populated IRC channel, increasing the chance of
> someone spotting a release announcement and thinking "hmm, that looks
> dodgy" - but that's of course not entirely reliable, and doesn't focus
> only on new releases.
But is anyone paying attention? I assume you're talking about
> One thing I thing is good to consider is the fact that all CPAN releases
> get announced on a quite populated IRC channel, increasing the chance of
> someone spotting a release announcement and thinking "hmm, that looks
> dodgy" - but that's of course not entirely reliable, and doesn't focus
> only on new releases.
#cpantesters, which I'm on, but I hardly ever look at it, and when I do
look I certainly don't look at scrollback, let alone looking at
scrollback *carefully*.
--
David Cantrell | Godless Liberal Elitist
Planckton: n, the smallest possible living thing
0 new messages