Re: Open source archives hosting malicious software packages

2017-09-22 Thread Neil Bowers
First cut at a script to check new CPAN packages: https://github.com/neilb/cpan-watcher At the moment it just flags: Package names that are confusable with packages in other dists Package names which don’t come under the expected main package name

Re: Open source archives hosting malicious software packages

2017-09-21 Thread Kent Fredric
On 21 September 2017 at 20:24, Neil Bowers wrote: > I’ll tweak my script to not worry about packages in the same distribution > (eg Acme::Flat::GV and Acme::Flat::HV). Then I just need to get a list of > new packages each day, and I’m just about there :-) I'd probably want PAUSE trust modelling

Re: Open source archives hosting malicious software packages

2017-09-21 Thread Neil Bowers
> Would anyone know of any prior art for detection of "short edit distances"? > (Perhaps even already on CPAN?) As David & Zefram pointed out, Levenshtein is the classic algorithm for this, but there are plenty of others; in the SEE ALSO for Text::Levenshtein I’ve listed at least some of the o

Re: Open source archives hosting malicious software packages

2017-09-20 Thread James E Keenan
On 09/20/2017 06:01 PM, Neil Bowers wrote: http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/Would CPAN be subject to the same problem as described in the article above? Yes. DBI::Class, for example, could be a typo for DBIx::Class or a misremembered Class::D

Re: Open source archives hosting malicious software packages

2017-09-20 Thread Zefram
James E Keenan wrote: >Would anyone know of any prior art for detection of "short edit distances"? >(Perhaps even already on CPAN?) Text::Levenshtein. -zefram

Re: Open source archives hosting malicious software packages

2017-09-20 Thread David Precious
On Wed, 20 Sep 2017 18:08:34 -0400 James E Keenan wrote: > On 09/20/2017 06:01 PM, Neil Bowers wrote: > > One thing we could do is have a tool looking at newly registered > > package names and alert the PAUSE admins to have a look at any that > > are a short edit distance from an existing package

Re: Open source archives hosting malicious software packages

2017-09-20 Thread Neil Bowers
>> http://www.theregister.co.uk/2017/09/15/pretend_python_packages_prey_on_poor_typing/Would >> CPAN be subject to the same problem as described in the article above? > > Yes. > > DBI::Class, for example, could be a typo for DBIx::Class or a > misremembered Class::DBI, and there's nothing stoppi