Make the list of denied packages on PyPI available to the community

fridex · June 28, 2021, 6:24am

Hi everyone,

I would like to ask if there are any plans to make the list of denied packages on PyPI available to the community. If no, is this something to consider?

Thanks in advance,
Fridolin

steven.daprano · June 28, 2021, 6:46am

Hi Fridolín,

What do you mean by denied packages?

encukou · June 28, 2021, 6:48am

I assume the list is private for security reasons. But you might be interested in a subset: the names reserved for Fedora packages (in Details at the bottom of the comment).

dustin · June 28, 2021, 8:18am

There are no plans to make the list public, though I’m curious why you ask or what benefit you’re imagining.

FYI, I would estimate that the list consists about ~90% spam package names. The prohibitions are mostly reactive and not preemptive, with the exception of cases like what @encukou has already shared.

fridex · June 28, 2021, 11:10am

We have two main use-cases on our side:

have a dataset where we could experiment with an automated typosquatting or spam packages detection
as Thoth supports cross-index resolution when package indexes are not treated as mirrors but rather separate sources of packages, we would like to make sure package names published on other indexes can be still valid package names on PyPI (besides PEP-423)

fridex · June 28, 2021, 11:12am

What do you mean by denied packages?

Package names that are denied by PyPI - either typo-squatted or spam packages.

fridex · June 28, 2021, 11:26am

Another use case for us is a notification of a spotted malicious package on PyPI where users who accidentally installed such a package would be notified with possible security concerns.

dustin · June 28, 2021, 2:36pm

Just to reiterate: not all package names that have been blocked should be considered malicious – currently we don’t differentiate. Surfacing known-malicious projects that have been taken down is captured in https://github.com/pypa/warehouse/issues/4703