Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Packagist hack? #270

Open
shaneiseminger opened this issue Nov 22, 2021 · 6 comments
Open

Packagist hack? #270

shaneiseminger opened this issue Nov 22, 2021 · 6 comments

Comments

@shaneiseminger
Copy link

Not sure what's happening here, but it doesn't look right.

Composer installs started failing today saying that an existing commit doesn't exist.

We have had this package installed for years:

https://packagist.org/packages/jublonet/codebird-php

I see that the page seems to list active data for the project, but it links to this repo, which is empty but for a single file:

https://github.com/jublonet/codebird-php

If you look a the user who committed the file there, they've made several other commits on other repos of the same or similar file.
@dave2309
Copy link

Same here

@mynetx
Copy link
Member

mynetx commented Nov 23, 2021

@shaneiseminger @dave2309 Thanks for notifying us about this issue. We’ve updated Packagist to reflect the current GitHub repo URL.

Here’s what happened:
We had renamed our GitHub organisation years ago, and there had been an automatic redirect in place, sending users from jublonet to jublo. However now someone created a new GitHub organization called jublonet, clearly with the intention of misleading users and breaking Composer installations of Codebird.

//cc @joshuaatkins

@dave2309
Copy link

@joshuaatkins thanks for your reply.
Still packagist is only showing jublonet/codebird-php, instead of jublo/codebird-php
Any idea how long that would need to propagate (if necessary)?

@mynetx
Copy link
Member

mynetx commented Nov 23, 2021

@dave2309 The package should already have the updated source URL from GitHub. I did a test install on a blank folder, and Composer did pick up the correct files for me.

The Packagist package name itself cannot be updated for (similar) security reasons, and the only path for us would be to declare the jublonet/* packages as abandoned and superseded by newly submitted jublo/* packages.

@dave2309
Copy link

@mynetx thanks, working now...

@shaneiseminger
Copy link
Author

We had renamed our GitHub organisation years ago, and there had been an automatic redirect in place, sending users from jublonet to jublo. However now someone created a new GitHub organization called jublonet, clearly with the intention of misleading users and breaking Composer installations of Codebird.

Ah, makes sense now. Going to flag the user doing it as s/he/they is clearly trying to do that with a lot of repos and it also clearly opens a huge security hole through which any kind of code could be injected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shaneiseminger @mynetx @dave2309