Create PYPI Package with Modified Name to Avoid Typosquatting and Enable Wide Distribution

Question

Create PYPI Package with Modified Name to Avoid Typosquatting and Enable Wide Distribution

d33bs opened this issue 4 years ago · 2 comments

💡 Summary

"chirp" is already registered as a package name on PYPI, meaning someone may erroneously believe they're installing CISA's CHIRP but end up with https://pypi.org/project/chirp/ instead. In general, this may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). CISA could deploy a PYPI package as "cisa-chirp" to differentiate from other packages and protect against typosquatting (in addition to general confusion with other packages).

This seems to have been brought up and closed, but I'd like to resurface as an idea for consideration. Reference: #19

Motivation and context

In general, the package and project name similarities may make this project vulnerable to typosquatting (https://en.wikipedia.org/wiki/Typosquatting). Making a PYPI package available with another name and documenting it would be beneficial in securing the project and enable wide distribution via command line: "pip install <package name>".

Implementation notes

Propose including authority in the package name itself, for instance "cisa-chirp", to differentiate and provide trust in the package via PYPI.

Acceptance criteria

How do we know when this work is done?

Issuing the command "pip install <modified package name>" installs CISA's CHIRP project and enables it to be used on client machine.

84210maruf commented 4 years ago

chrome

❤️1

Answer 1 · 2021-03-24T00:54:20.000Z

I will take this internally to our team for discussion, but outside of the usefulness of being able to install from the command line, we do not currently see any reason to implement this fix for the reasons detailed in #19.

There are some additional problems we would have to solve in doing this, specifically around the yara package, as it also requires the Windows build libraries and SDK which adds an additional level of complication in smoothly installing the program.

If somebody would like to make a pull to implement the setup file required to get this to work we may consider merging, however we have some more pressing improvements and bugs needed for this project prior to dedicating focus to this.