Re: Malicious software libraries found in PyPI posing as well known libraries
Originally Posted by srakitnican
I don't see how would an installation script make a typo in python package name. I see this as kind of phishing attempt in PyPI way. If you just blindly installing libraries from any source without checking if it is original source, then I would say you are being reckless. Like everywhere else, there exists trusted users as well as some less trusted ones.
I don't think its a typo in the installation script, but its when the user makes a typo in the package name, such as urlib rather than urllib. The installation script in this alternative is what carries the malware -the library itself is just a copy of the real thing so there is nothing to flag that you might have downloaded the wrong package.
Part of the problem is that the Python repo is getting about 100 new packages per day, which makes it impossible to curate without relying on a lot of automation.
Has anyone seriously considered that it might be turtles all the way down?
That's very old fashioned thinking.
The current model is that it's holographic nested virtualities of turtles, all the way down.