Skip to content
This repository has been archived by the owner on Jun 10, 2021. It is now read-only.

Create PYPI Package with Modified Name to Avoid Typosquatting and Enable Wide Distribution #23

Open
1 task
d33bs opened this issue Mar 23, 2021 · 2 comments
Open
1 task

Create PYPI Package with Modified Name to Avoid Typosquatting and Enable Wide Distribution #23

d33bs opened this issue Mar 23, 2021 · 2 comments
Labels
evaluating This issue or pull request currently has no definitive outcome on implementation.

Comments

@d33bs
Copy link
Contributor

d33bs commented Mar 23, 2021
edited
Loading

💡 Summary

"chirp" is already registered as a package name on PYPI, meaning someone may erroneously believe they're installing CISA's CHIRP but end up with https://pypi.org/project/chirp/ instead. In general, this may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). CISA could deploy a PYPI package as "cisa-chirp" to differentiate from other packages and protect against typosquatting (in addition to general confusion with other packages).

This seems to have been brought up and closed, but I'd like to resurface as an idea for consideration. Reference: #19

Motivation and context

In general, the package and project name similarities may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). Making a PYPI package available with another name and documenting it would be beneficial in securing the project and enable wide distribution via command line: "pip install <package name>".

Implementation notes

Propose including authority in the package name itself, for instance "cisa-chirp", to differentiate and provide trust in the package via PYPI.

Acceptance criteria

How do we know when this work is done?

  • Issuing the command "pip install <modified package name>" installs CISA's CHIRP project and enables it to be used on client machine.
@DeemOnSecurity
Copy link
Contributor

I will take this internally to our team for discussion, but outside of the usefulness of being able to install from the command line, we do not currently see any reason to implement this fix for the reasons detailed in #19.

There are some additional problems we would have to solve in doing this, specifically around the yara package, as it also requires the Windows build libraries and SDK which adds an additional level of complication in smoothly installing the program.

If somebody would like to make a pull to implement the setup file required to get this to work we may consider merging, however we have some more pressing improvements and bugs needed for this project prior to dedicating focus to this.

@DeemOnSecurity DeemOnSecurity added the evaluating This issue or pull request currently has no definitive outcome on implementation. label Mar 24, 2021
@84210maruf
Copy link

chrome

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
evaluating This issue or pull request currently has no definitive outcome on implementation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@d33bs @DeemOnSecurity @84210maruf