PMXBOT Log file Viewer

Help | Karma | Search:

#pypa logs for Saturday the 30th of December, 2017

(Back to #pypa overview) (Back to channel listing) (Animate logs)
[12:22:24] <pombreda> pmxbot, welcome back! :)
[14:13:51] <nedbat> "russianidiot" seems to be typo-squatting a number of packages, like https://pypi.python.org/pypi/request/0.0.22
[14:18:04] <pombreda> nedbat, I wonder if this is evil squatting: it has been around for a long time. But this is squatting nonetheless
[14:18:36] <nedbat> pombreda: well, i can't figure out why they are bothering, since the code doesn't seem to do anything useful, even maliciously.
[14:19:01] <nedbat> pombreda: but if you look at their github, they have a few repos designed to be installed needlessly by mistake (pip install dict)?
[14:19:19] <pombreda> yep
[14:19:31] <pombreda> this is the most peculiar set of repos I have ever seen
[14:21:18] <pombreda> nedbat, like it had been written by someone with some serious obsession or a very different mind
[14:23:50] <pombreda> nedbat, I do not think this is evil, just annoying. And the work of person with a very different mind, to say the least and staying PC :P
[15:37:40] <toad_polo> Why do you think this is not malicious?
[15:38:08] <toad_polo> The weird separation into a bunch of different packages seems like kind of hallmark of code obfuscation.
[15:40:02] <toad_polo> Though I dunno, putting everything on github and setting up codecov and stuff does make you think they're just a person who is a bit off and has a funky way of organizing things.
[15:41:09] <toad_polo> The fact that GET pulls stuff from an environment variable and does stuff with it that I need to go a few repos deep to unravel is not encouraging, though.
[16:15:28] <pombreda> toad_polo, I think this is not malicious because I have seen packages from this russianiodiot for several years and they look as harmless as they can. Some do real things, several do not do much at all
[16:15:52] <pombreda> this is mostly junk but not malicious code IMHO
[16:15:59] <pombreda> from someone that is likely sick
[16:16:09] <pombreda> in the very real sense of the word
[16:16:09] <nedbat> toad_polo: if you "pip install request", it doesn't do anything. It fails on a name error about "get".
[16:17:38] <pombreda> toad_polo, and if not sick, that person is very much off, south and north :)
[16:17:45] <toad_polo> Heh
[16:18:14] <pombreda> but that's just prospective of me :)
[16:51:01] <agronholm> is there anything that disallows distributions from having a single digit as a version?
[16:53:27] <tos9> agronholm: Looks fine: https://www.python.org/dev/peps/pep-0440/#public-version-identifiers
[16:53:37] <agronholm> I was looking at the same thing
[16:53:45] <agronholm> which means wheel has a bug in its regexp
[16:54:04] <agronholm> it expects at least one more character after the first digit
[16:59:21] <tos9> does wheel not use packaging?
[16:59:44] <tos9> agronholm: ^
[16:59:50] <agronholm> no
[17:00:04] <tos9> maybe it should?
[17:00:16] <agronholm> if the extra dependency is worth it
[17:00:45] <agronholm> currently wheel has no hard dependencies
[17:01:13] <tos9> could vendor it if need be
[17:01:25] <agronholm> I very much dislike vendoring
[17:01:25] <tos9> https://github.com/pypa/packaging/blob/master/packaging/version.py#L24 though is at least a "correct" PEP 440 implementation
[17:01:43] <tos9> well NIH is a bit worse than both :D
[17:02:06] <agronholm> this is literally a 1 character fix
[17:04:20] <tos9> says a lot that our own packaging tools don't use our own packaging tools... :/
[17:05:03] <agronholm> would you really go and add the complexities of vendoring for a 1 character fix?
[17:05:26] <tos9> dunno. I'd certainly love to see us have one, nice, implementation of Version objects though
[17:05:32] <tos9> (so I'd certainly think hard about it)
[17:05:45] <tos9> I've got some local improvements to that Version object which one day I'll get upstream too