Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Postmortem] cupy-cuda112 Package Squatting Issue on PyPI #4787

Closed
kmaehashi opened this issue Mar 2, 2021 · 0 comments
Closed

[Postmortem] cupy-cuda112 Package Squatting Issue on PyPI #4787

kmaehashi opened this issue Mar 2, 2021 · 0 comments
Assignees
@kmaehashi
Labels
issue-checked

Comments

@kmaehashi
Copy link
Member

kmaehashi commented Mar 2, 2021
edited
Loading

tl;dr: An invalid cupy-cuda112 package (versioned v2.2.2) was online from 2021-02-25 18:17 to 2021-02-26 11:09 (UTC). The package currently hosted on PyPI (versioned v8.5.0 and v9.0.0b3) and GitHub Releases (#4704) are built by the CuPy team and are all safe.

Date:
2021-03-02

Author:
The CuPy Team (@kmaehashi)

Status:
Complete (action items ongoing)

Summary:
A package named cupy-cuda112, which we were planning to release on 2021-02-26, has been taken by a third party on the day before the release.

Impact:

  1. Users who ran pip install cupy-cuda112 received an unexpected package.
  2. Release of the cupy-cuda112 package delayed.

Root Causes:
PyPI does not provide a feature to create a namespace or reserve future package names.

Resolution:
Moved the ownership of the cupy-cuda112 package to the CuPy project and removed the invalid release assets, following PEP 541 process.

Action Items:
Until PyPI implements a package namespace feature, we will do the following to mitigate the situation.

  1. Secure a package name on PyPI when the corresponding CUDA version has been released, instead of when making a new CuPy release for that CUDA version.
  2. Monitor PyPI for packages containing cupy in its name, and request a takedown when needed (e.g., the package has malicious content).

Timeline (in UTC)

  • 2021-02-25 18:17: Package cupy-cuda112 created by an attacker, and an invalid package asset (versioned v2.2.2) has been uploaded.
  • 2021-02-26 05:06: The CuPy team tried to register a new package cupy-cuda112 for v8.5.0 / v9.0.0b3 release, and discovered that it was already taken by a third party.
  • 2021-02-26 05:43: The CuPy team submitted a takedown request to the PyPI team. PEP 541 Request: cupy-cuda112 pypi/support#923
  • 2021-02-26 08:38: Announced the incident to users via Twitter, Gitter and GitHub (Do not use cupy-cuda112 package on PyPI (update: issue resolved) #4765).
  • 2021-02-26 11:09: PyPI approved the request, transferred the ownership of the package to the CuPy project, and removed an invalid release asset.
  • 2021-03-02 07:59 The CuPy team released genuine cupy-cuda112 packages (CuPy built for CUDA 11.2).
@kmaehashi kmaehashi pinned this issue Mar 2, 2021
@kmaehashi kmaehashi self-assigned this Mar 2, 2021
@kmaehashi kmaehashi unpinned this issue Mar 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kmaehashi kmaehashi

Labels
issue-checked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kmaehashi