1. PyPA
  2. Python Packaging Authority Projects
  3. pypi
  4. Issues


Issue #141 wontfix

Security concern - Stranger can take ownership of abandoned project

David Burke
created an issue
  1. Project x of a popular project removes their account.
  2. Mean Person re-registers the project using the same name.
  3. Mean Person uploads a new version with a new rm -rf / feature.
  4. People with dependencies on the project have a bad day.

I registered odfpy after it just disappeared. Luckily I'm not mean. Seems like a security issue.

See discussion about odfpy here. https://github.com/ldo/odfpy/issues/1#issuecomment-43021239

Comments (4)

  1. Donald Stufft

    So this is kind of tricky.

    The answer is yes this can be used to attack someone. However I'm not sure if there's a better way to handle that. It doesn't seem particularly useful if registering a name once registers it for all time even if it's never been used.

    This could also potentially be solved by the TUF package signing scheme once that has been integrated.

  2. Log in to comment