Prevent typo squatting

[danielcompton]

http://incolumitas.com/2016/06/08/typosquatting-package-managers/
http://incolumitas.com/data/thesis.pdf

There is a thesis written about achieving RCE through typo squatting on popular package managers. The situation isn't quite so bad in Clojars as people can't copy someone else's group name, and Leiningen doesn't execute arbitrary code when JARs are downloaded (we do it at runtime 😄). Nonetheless, we should look at the paper, identify what our risks are, and mitigate them.

c.f. http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/, https://www.pytosquatting.org

[danielcompton]

I haven't looked to see how they do it, but RubyGems has yanked gems where the names were invalid according to Levenshtein distance.