Namespace reuse policy for removed malicious packages
shelbyc opened this issue Β· comments
Hi there π ,
What is Packagist's policy for allowing reuse of names of packages that were removed due to malicious content? The package symfont/process
* has been removed from Packagist. Would it be possible for someone to register the name symfont/process
again in the future, or are there measures in place to prevent others from reusing this name?
Thanks!
*https://www.kernelmode.blog/typosquatting-malware-found-in-composer-repository/
We have some measures in place now for typosquatting monitoring, which I believe would prevent similar attacks or at least allow us to discover it quick enough.
@Seldaek Thank you for responding! I wasn't clear enough in my initial question, and a better wording would be:
After a particular package is removed for being malicious, could someone later request or re-register the same name to host a legitimate, non-malicious package?
Yes generally, but this particular vendor we would probably block anyway, legitimate looking or not