Invalid Package "excel 1.0.0" https://pypi.org/project/excel/1.0.0/ #172
Comments
|
Good point! How do you remove something like this from there? |
|
The preferred path for security notifications is emailing [email protected] directly, as per https://pypi.org/security/ However, since there isn't a clear builtin system for reporting problematic packages at this stage, and this ticket already exists, I'll just let @ewdurbin know about it as the PSF's Director of Infrastructure. |
😱 That is quite discomforting to know. So next time someone pushes some malware to pypi, it will take days or weeks to get rid of it? -- Good to know! |
|
It's not clear to me if removal of this project is specified under PEP 541, closest clause is Invalid Projects but I'm not sure if there is sufficient claim to any of the criteria. |
|
Indeed only the e-mail domain has been compromised and the package is no malware. While arguably contacting the original author is non trivial it should be still possible that he will turn up. |
|
I should have elaborated about the web link: This is typical example of increasing incoming web-links to increasing ranking of a website in search engine. As per PEP 541 its an Invalid projects, following clauses are being checked: And also it full filling all the check boxes for an Abandoned project. |
I recently started working on legacy code, where we were using python 2.6 and excel==0.7.2 I wanted to search if somebody was maintaining excel. I wanted to upgrade to python 3.x+This lead me to excel 1.0.0 on PyPI.
Link to GitHub: https://github.com/twz915/excel/blob/master/excel/xlrd_shortcuts.py It's nowhere complete or the extension of the original work. It's just a wrapper over xlrd. Encapsulating 1 function and 4 variable from xlrd. Secondly, the link to the website(replica of www.w3schools.com) and email addresses have both been compromised. This package excel==1.0.0 should remove the PyPI repository.
The text was updated successfully, but these errors were encountered: