Post · bonfire.cafe

PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security
https://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/

Stéphane Bortzmeyer

@bortzmeyer@mastodon.gougere.fr replied · last month

@pypi And what is a "custom domain name"? Why a special privilege for gmail.com?

Stéphane Bortzmeyer

@bortzmeyer@mastodon.gougere.fr replied · last month

@pypi Very good idea. But why using Domainr API instead of directly #RDAP to the registry?

Patrick Mevzek

@pmevzek@framapiaf.org replied · last month

@bortzmeyer @pypi Because not all #TLD registries joined the #RDAP fiesta 🙂 ? And in theory even a change of registrant, or maybe even DNS provider (or MX records) should trigger a "emails on this domain are not verified anymore" situation. As it should trigger certificates revocation too, which won't happen (hence shorter lifetimes as a solution).

Stéphane Bortzmeyer

@bortzmeyer@mastodon.gougere.fr replied · last month

@pmevzek @pypi But the article talks only about ICANN TLDs, which all have RDAP.

Patrick Mevzek

@pmevzek@framapiaf.org replied · last month

@bortzmeyer @pypi So either they forbid people using email addresses in ccTLDs (bad and probably not the case), or they consider that population to be more well-behaved regarding domain zombies (as they resurrect…) 🙂

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.2.21 no JS en

Automatic federation enabled