Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User report mechanism for projects that damage other packages, don't adhere to guidelines, or are malicious #3896

Open
bitfinity opened this issue May 4, 2018 · 16 comments
Assignees
Labels
blocked Issues we can't or shouldn't get to yet feature request

Comments

@bitfinity
Copy link

What's the problem this feature will solve?

Searching through PyPi I was not able to find anywhere where I can report a project that either contains malicious code or breaks other packages in the repository by overwriting them. To be clear, I am not talking about reporting issues to the project maintainer. This issue is not asking that PyPi duplicate the efforts of github, but as a distributor of software, PyPi needs some mechanism for consumers of the software to flag software that is malicious or may break other software.

I've come across the case of a package that overwrites another package on purpose - not for malicious intent. But that package broke my project, and uninstalling it did not fix it, because it had overwritten the other package. This is bad practice, and there should be a way to report things like this, beyond to the project maintainer. The maintainer may disagree, or may not be maintaining the project anymore.

Malicious projects: Anyone could upload a project that has malicious code buried in it, and unsuspecting developers may install this package thinking that it is "official" because it is on PyPi. There is a little bit of that expectation, since pip is part of the core python package, that packages you install via pip may be more reliable and adhere to certain standards than packages that you may install from github projects. This expectation is obviously unwarranted, but it may exist in some developers nonetheless.

That being said, there should be at least some reliable way to report or flag a project to PyPi maintainers - not the project maintainer - from the project page, and for people to see complaints about a project and judge for themselves, even if the maintainers of PyPi decide not to remove it. I found nothing.

I think there should be one issue on the pypa warehouse github that covers this, because this query has come up in the past, but gets shoved or related to other sub-issues or related issues that are already closed or more complicated.

Describe the solution you'd like

There should be one issue regarding reporting or flagging projects. It should cover these things (possibly as child issues):

  1. The ability to report or flag a project from the project page.
  2. The ability to see these reports. I.e. - flagged N times (as link). And then clicking on link just displays that list with the name of the reporter, the subject of the issue, maybe a category that includes "other" and a write-in category, and the text of the issue.
  3. Documentation regarding both the fact that projects are not reviewed or inspected by PyPi and how to report or flag projects that are malicious, break other packages, or have some other bad practices.
@ewdurbin
Copy link
Member

ewdurbin commented May 4, 2018

Thank you for the thorough report @bitfinity! This is planned to be part of our overall spam detection and mitigation strategy. any mechanism fulfilling #2982 would also be usable for this purpose, or we could merge the concept of spam with this.

@mowshon

This comment has been minimized.

@di

This comment has been minimized.

@urigoren

This comment has been minimized.

@EmilLuta
Copy link

@nlhkabu Hi there!

Is this task still available? If you don't mind, I'd give it a shot.

@nlhkabu
Copy link
Contributor

nlhkabu commented Jul 28, 2018

@EmilLuta I'm not sure on the status of this ticket.
@ewdurbin or @di could you please weigh in on this?

@EmilLuta
Copy link

@nlhkabu I suspect most of the job (for now) is to add a simple flag option for each repository. This way, any user can flag it. With that in mind people could have a curated list of what looks spooky and what might be used.

@di
Copy link
Member

di commented Jul 28, 2018

This issue is in-progress, sorry!

@EmilLuta
Copy link

Owkay. Thanks @di

@brainwane brainwane added this to the Post Legacy Shutdown milestone Jun 10, 2019
@brainwane brainwane added the blocked Issues we can't or shouldn't get to yet label Jun 10, 2019
@brainwane
Copy link
Contributor

As I understand it, this is blocked on #3231.

@brainwane brainwane changed the title Report projects that damage other packages, don't adhere to guidelines, or are malicious User report mechanism for projects that damage other packages, don't adhere to guidelines, or are malicious Jun 20, 2019
@MartinThoma
Copy link

MartinThoma commented Jan 9, 2022

Would it be possible to use github (maybe not in https://github.com/pypa/warehouse but in https://github.com/pypa/pypi-support/ ?) to allow users to report malicious packages as issues?

One could make a template for this type of issue. I could imagine those fields to be interesting:

Another template could be for typosquatting.

@melroy89
Copy link

melroy89 commented Nov 19, 2022

Any update on where I can fill a report/ complaint?

@di
Copy link
Member

di commented Nov 19, 2022

See https://pypi.org/security/

@melroy89
Copy link

melroy89 commented Nov 20, 2022

I want to file a complaint not a security issue. In my case specifically there are other users duplicating my work and releasing it under another pypi package, while not honoring the copyright owners/authors being mentioned. Which is not inline with the Apache License 2.0.

EDIT: I know where to report this. You can report such things at: https://github.com/pypa/pypi-support/issues

@eirnym
Copy link

eirnym commented Nov 20, 2022

do we all expect, that all packages can be installed simultaniously and won't break each other? I understand the original issue, but what if I name my package differently, and name python packages the same as an other random package, my package is flagged or other package is flagged? I see no mechanism to detect and solve the problem peacefully. Other problem is "I like the package, but it's not maintainted for years and has an important issue and I still need to use the first one (as a part of contract with other packages) and want to fix the issue"?

@soxofaan
Copy link

Another use case that could be covered here: https://pypi.org/project/pyrasite/ . The original maintainer has lost interest in this project I guess, and has lost ownership of the project's homepage domain (pyrasite dot com) , which now turned in a phishing/malware rabbit hole (see lmacken/pyrasite#151 lmacken/pyrasite#145).
As a result, https://pypi.org/project/pyrasite/ is full of malicious links. So while the package itself isn't malicious per se, it would be good if there was some mechanism to avoid interested users blindly clicking these links.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked Issues we can't or shouldn't get to yet feature request
Projects
None yet
Development

No branches or pull requests