Possible spamming of package namespace

[emesik]

Hi,

I've just found that the account use-r created a bunch of empty packages within the last couple of days. They mostly cover names of cryptocurrencies but not only.

It seems to be a spam attack on the package namespace, as none of the packages I picked randomly seems to contain any code.

Can this be resolved somehow? I'm particularly interested in the monero module that I'm developing and planning to release soon.

[brainwane]

@emesik Thanks for reporting this. As I understand this, this is waiting on the acceptance of PEP 541 which gives us a framework for addressing problems like this. How soon are you planning on making your release?

[emesik]

Thanks. I looked at PEP 541 and it seems to me this particular case is an example of name squatting.
The project contains only one release without actual code or even author's email. Do you think it could be resolved before PEP 541 gets accepted?

I'm planning to have the first release ready next week. It would be great if I could push it to PyPi.

[brainwane]

@emesik Thanks for clarifying! We've now addressed all the malicious and squatting packages the user had created, but unfortunately regarding monero, I have to ask you to wait for PEP 541 to be accepted. Thanks and regrets for the wait.

[emesik]

It seems like that user's account has been cleaned from packages except those that bear names of cryptocurrencies. Actually, those are meaningful ones, and they stay blocked. Why?

I understand that the first user who claims a package name, gets it. However, I used to think that PyPi is a place where code is being published, not just a competition of who's the first to get an interesting name for a project that doesn't exist. Unfortunately, the package I'm talking about is exactly the opposite: it only occupies the name, containing no single line of code.

This is not about a conflict with a competitive project or attempt at takeover of an abandoned one. There's just no project at all.

PEP 541 has been around there for over a year, which is a very long time in terms of software development, and there's no public indication of a deadline when it's going to be implemented. Waiting for it doesn't make any sense and I'm sure you are aware of it.

Meanwhile it's a matter of a couple lines of code to spam the entire namespace with dictionary attack creating empty packages named after every single English word (or any other set). Since those names would be meaningful, being consistent the PyPi admins would have to keep them and refuse developers with valuable code publishing their work under those names. Right?

[brainwane]

@emesik Thank you for your reply, and I'm sorry for how frustrating this is. I'm frustrated too. I'm not one of the people with the power to delete packages on PyPI, but I am hearing your concerns and passing them on to the PyPI administrators.

PyPI got a bunch of spam packages this past weekend which has spurred several new features and guards against certain kinds of automated attack, such as:

• Verify email on registration Verify email on registration #2960
• Require at least one verified email address to register new projects. Require at least one verified email address to register new projects. #2972
• Implement an Admin Flag model and some Emergency Circuit breakers Implement an Admin Flag model and some Emergency Circuit breakers #2967
• Admin feature: Nuke user Admin feature: Nuke user #2977

We also opened #2982 and #2976 to work on future strategies and tools to guard against spamming.

I personally started pushing for more movement on PEP 541 a few months ago. This month the community changed the approval authority on that PEP in python/peps#566 which provides a clearer way forward for it. I recognize it's been a long wait and I am trying to make it shorter so that the policy's in place to address quite a lot of package name transfer requests.

None of this context gives you the package name you want right away, and I'm sorry for that.

[emesik]

Thanks for that info, @brainwane. Sorry to hear about that lot of work you have because of spammers.

Meanwhile I published my project under the name monero-python, however silly the additional python part sounds in a Python package name. I hope I'll be able to move it to the name consistent with the module's.

[rspencer01]

This particular account has grabbed a name I want (and own a github and readthedocs repo for). @brainwane claimed that all the squatting packages had been addressed, but at least this one, dent, isn't.

I recognise that ranting and raving on a github issue because "someone stole a thing I didn't own" is not useful, but this user seems to be malicious. Is there any way to take action/bring this particular user to the attention of the admins?

[di]

@rspencer01 We addressed the packages that were typo-squatting on stdlib module names, but left the rest in place. If you'd like to lay claim to the dent package name, please file a separate issue, we'll tag it with the "PEP 541" label, and we'll address it when we begin to worth through the backlog of these requests.

@emesik I'll ask you to do the same for the monero package, if you still want this package name.

Thanks all for your patience.

[keysmashes]

My interpretation of PEP 541 was that name-squatting packages with no functionality would be removed immediately:

A project published on the Package Index meeting ANY of the following is considered invalid and will be removed from the index:

[...]

• project is name squatting (package has no functionality or is empty)

That list also includes malware and Terms of Use violations. Was the intention that packages like that would only be removed if someone else wants the name?

[dstufft]

There's no automated process to remove names (and there likely won't ever be). Trying to auto remove names more or less just ends up with an arms race, where people who are trying to squat a name will just start uploading more and more complex packages to trick the auto-remover so that they can successfully squat the name.

[emesik]

And the best tactic in arms race is to give up immediately?

[keysmashes]

Sure, I didn't particularly expect (or necessarily want) an automated process – I think what I was really asking was which one of these is the plan for dealing with name-squatting packages:

• they're removed without being reassigned to a new maintainer if they have had no functionality for a sufficient time (assuming someone points it out, e.g. this issue)
• they're removed only when someone else wants to use the name

In a scenario like this, where a single user creates many empty packages with no apparent plan to use them, it would make sense to me to remove them all at once rather than making each person that wants to use one of the taken names request it individually.