Giters

cupy / cupy

NumPy & SciPy for GPU

Home Page:https://cupy.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Postmortem] `cupy-cuda112` Package Squatting Issue on PyPI

kmaehashi opened this issue · comments

commented

tl;dr: An invalid cupy-cuda112 package (versioned v2.2.2) was online from 2021-02-25 18:17 to 2021-02-26 11:09 (UTC). The package currently hosted on PyPI (versioned v8.5.0 and v9.0.0b3) and GitHub Releases (#4704) are built by the CuPy team and are all safe.

Date:
2021-03-02

Author:
The CuPy Team (@kmaehashi)

Status:
Complete (action items ongoing)

Summary:
A package named cupy-cuda112, which we were planning to release on 2021-02-26, has been taken by a third party on the day before the release.

Impact:

  1. Users who ran pip install cupy-cuda112 received an unexpected package.
  2. Release of the cupy-cuda112 package delayed.

Root Causes:
PyPI does not provide a feature to create a namespace or reserve future package names.

Resolution:
Moved the ownership of the cupy-cuda112 package to the CuPy project and removed the invalid release assets, following PEP 541 process.

Action Items:
Until PyPI implements a package namespace feature, we will do the following to mitigate the situation.

  1. Secure a package name on PyPI when the corresponding CUDA version has been released, instead of when making a new CuPy release for that CUDA version.
  2. Monitor PyPI for packages containing cupy in its name, and request a takedown when needed (e.g., the package has malicious content).

Timeline (in UTC)

  • 2021-02-25 18:17: Package cupy-cuda112 created by an attacker, and an invalid package asset (versioned v2.2.2) has been uploaded.
  • 2021-02-26 05:06: The CuPy team tried to register a new package cupy-cuda112 for v8.5.0 / v9.0.0b3 release, and discovered that it was already taken by a third party.
  • 2021-02-26 05:43: The CuPy team submitted a takedown request to the PyPI team. pypi/support#923
  • 2021-02-26 08:38: Announced the incident to users via Twitter, Gitter and GitHub (#4765).
  • 2021-02-26 11:09: PyPI approved the request, transferred the ownership of the package to the CuPy project, and removed an invalid release asset.
  • 2021-03-02 07:59 The CuPy team released genuine cupy-cuda112 packages (CuPy built for CUDA 11.2).