[prev in list] [next in list] [prev in thread] [next in thread]
List: python-catalog-sig
Subject: Re: [Catalog-sig] bad package that's fishing bitbucket emails
From: m t <dreamabyss () hotmail ! com>
Date: 2012-03-30 0:11:49
Message-ID: BLU0-SMTP405B9C9439EFA2CE0497936CA490 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
hi,
yuval and michael were right (attached below is bitbucket's reply), i =
definitely over-reacted
hopefully there is some way for you guys to automatically detect =
nefarious packages from entering pypi
thanks for the communication, top-notch
good job with the feedback and discussion,
mt
and here is bitbucket's reply to my notifying them of that repo:
Brodie Rao, Mar 29 13:07 (PDT):
Hi mt,
I don't think that user's phishing; he's just using our CNAME feature =
that lets him point a domain name to his Bitbucket profile and =
repositories.
You'll get different opinions from other people on the Bitbucket team, =
but I'm personally not a fan of the feature because of the confusing =
security implications it has (as you've found out). It does indeed lead =
you to log into the site using his domain name.
We may look into improving how logins work on CNAMEs in the future. For =
now, you can still view his repositories on bitbucket.org directly. I =
recommend doing that if you don't trust the owner of the domain name.
If you have any other questions, let me know.
Thanks,
Brodie
[Attachment #5 (unknown)]
<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space; ">hi,<div>yuval and michael were right \
(attached below is bitbucket's reply), i definitely over-reacted</div><div>hopefully \
there is some way for you guys to automatically detect nefarious packages from \
entering pypi</div><div>thanks for the communication, top-notch</div><div>good \
job with the feedback and discussion,</div><div>mt</div><div><br></div><div>and here \
is bitbucket's reply to my notifying them of that \
repo:</div><div><br></div><div>Brodie Rao, Mar 29 13:07 (PDT):<br>Hi mt,<br><br>I \
don't think that user's phishing; he's just using our CNAME feature that lets him \
point a domain name to his Bitbucket profile and repositories.<br><br>You'll get \
different opinions from other people on the Bitbucket team, but I'm personally not a \
fan of the feature because of the confusing security implications it has (as you've \
found out). It does indeed lead you to log into the site using his domain \
name.<br><br>We may look into improving how logins work on CNAMEs in the future. For \
now, you can still view his repositories on <a \
href="http://bitbucket.org/">bitbucket.org</a> directly. I recommend doing that \
if you don't trust the owner of the domain name.<br><br>If you have any other \
questions, let me know.<br><br>Thanks,<br>Brodie</div><div><br></div></body></html>
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic