I recently wrote about how I added the ability to quarantine projects under investigation on @pypi
Read here: https://blog.pypi.org/posts/2024-12-30-quarantine/
I recently wrote about how I added the ability to quarantine projects under investigation on @pypi
Read here: https://blog.pypi.org/posts/2024-12-30-quarantine/
@miketheman thanks for doing this work of weeding the community garden!
Would this not create a mechanism to dDoS a project and inundate the slack channel with tons of fake reports?
Causing distribution disruption to victim projects and all projects which has that package as an indirect dependency.
So bad actors would target low level projects to maximize disruption. These projects are often plagued by absent maintainers.
https://blog.pypi.org/posts/2024-12-30-quarantine/#future-improvement-automation
Some good targets that are unmaintained:
pip-tools
pip-requirements-parser