On 04/12/2019 18.59, David Lowry-Duda wrote: > I notice that "python3-dateutil" is in over 4000 github repositories > [1]. That sounds like a disaster. > > [1]: https://github.com/search?q=python3-dateutil&type=Code
At least the first pages are packaging files for Debian, Fedora, and other Linux distributions. Downstream distributions provide a Python package under multiple names. For example the Fedora's build spec [1] creates python2-dateutil and python3-dateutil packages from the python-dateutil upstream project. Attackers abuse the fact and try to typo-squat packages in hope that somebody uses the Linux distribution package name "python3-dateutil" instead of the upstream name "python-dateutil" in requirements.txt Christian [1] https://src.fedoraproject.org/rpms/python-dateutil/blob/master/f/python-dateutil.spec -- https://mail.python.org/mailman/listinfo/python-list
