PMXBOT Log file Viewer

Help | Karma | Search:

#pypa logs for Tuesday the 18th of August, 2020

(Back to #pypa overview) (Back to channel listing) (Animate logs)
[16:56:01] <natefoo> Is there a way to locate the sdist of a package in the pip cache?
[16:58:06] <natefoo> pip download --no-binary :all: --no-deps <package> doesn't work - maybe this means the sdist isn't there (although a wheel is), but the package also doesn't exist in PyPI anymore, so I'm unclear on whether that's the cause
[16:58:53] <natefoo> Since the error is: Cache entry deserialization failed, entry ignored; Could not find a version that satisfies the requirement <package> (from versions: )
[17:06:50] <natefoo> Ah, `pip cache list` in newer versions - but it only lists wheels.
[17:19:42] <ngoldbaum> you only get sdists if wheels aren’t available
[17:20:08] <ngoldbaum> although if there aren’t any extensions then the wheel has all the sources, iirc
[17:20:13] <ngoldbaum> wheels are just zip archives
[17:20:39] <ngoldbaum> if there are extensions then you’ll be missing the C (or whatever) sources
[17:21:14] <ngoldbaum> (i think)
[17:23:55] <natefoo> Yeah, I am looking for the setup.py, so that's not in the wheel. I'm doing forensics on a malicious package that was somehow installed. It's been removed from PyPI already but I'm trying to figure out what was in the setup.py that might've been executed.
[17:24:30] <ngoldbaum> ahhhh
[17:24:53] <ngoldbaum> presumably the pypi admins still have a copy
[17:25:36] <natefoo> I am pretty sure it was fetched as an sdist because the create time of the built objects in the wheel match the time of the suspected breakin.
[17:25:52] <natefoo> Yeah, presumably - I haven't contacted them, they took it down before I was aware of this.
[17:26:08] <ngoldbaum> oh jeeze, was this a real-world typosquatting attack via pypi?
[17:35:07] <natefoo> Yup
[17:46:34] <ngoldbaum> maybe di_codes can help?
[17:48:27] <PSFSlack> <di> hullo, please email admin@pypi.org with details about the project name / version
[17:48:42] <PSFSlack> <di> for future reference: PyPI never actually deletes any distribution files, so we have everything on disk
[17:58:58] <natefoo> I'll email, thanks.