Fwd: Do projects exist to audit PyPI-hosted packages?

Sam Ezeh sam.z.ezeh at gmail.com
Fri May 6 11:24:33 EDT 2022 

---------- Forwarded message ---------
From: Sam Ezeh <sam.z.ezeh at gmail.com>
Date: Fri, 6 May 2022, 15:29
Subject: Re: Do projects exist to audit PyPI-hosted packages?
To: Skip Montanaro <skip.montanaro at gmail.com>


I've had similar thoughts in the past. I don't know of anything but I
wonder if repositiories for other languages might have something to deal
with it.

A related problem is that even if a package is maintained by somebody with
good intentions, the account might be hijacked by a malicious actor and
since PyPi is separate from source control, people might not be able to
find out easily and malware could spread through PyPi.

Kind regards,
Sam Ezeh


On Fri, 6 May 2022, 14:08 Skip Montanaro, <skip.montanaro at gmail.com> wrote:

> I woke with a start in what amounted to the middle of the night (I really
> need to get about three more hours of sleep, but you'll understand why I
> was awake to write this).
>
> Many years ago, so as to preserve my wrists, I wrote a tool
> <https://github.com/smontanaro/python-bits/blob/main/src/watch.py> to
> monitor mouse and keyboard activity. It tells me when to rest. I use it
> when I have problems, then put it away until it's needed again. I have
> resurrected it a few times over the years, most recently a month or two
> ago. Having never been all that fond of how I tracked keyboard and mouse
> activity, I was happy when I stumbled upon pynput
> <https://pypi.org/project/pynput/>. "Yay!", I thought. My worries are
> over.
>
> Then extremely early this morning I woke thinking, "Damn, this runs on my
> computer and it can see my mouse and keyboard activity. How do I know it's
> not stealing my keystrokes?" Not going back to sleep after that. So, I'm
> going through the code (and the Xlib package on which it relies) to make
> myself more comfortable that there are no issues. Note: I am *most
> certainly not* accusing the pynput author of any mischief. In fact, I
> suspect there's no problem with the package. It's got a bunch of stars and
> plenty of forks on GitHub (for what that's worth). I suspect the code has
> had plenty of eyeballs looking at it. Still, I don't really know how well
> vetted it might be, so I have no assurances of that. I saw it mentioned
> somewhere (discuss I think?), checked it out, and thought it would solve my
> activity tracking in a cross-platform way. (I currently only use an Xorg
> environment, so while I am looking at the code, I'm not paying attention to
> the Windows or MacOS bits either.)
>
> This got me thinking. If I'm curious about pynput, might other people be as
> well? What about other packages? I'm actually not worried about Python
> proper or vulnerabilities which have already been found
> <https://github.com/pypa/advisory-database>. PyPI currently advertises
> that
> it hosts over 373k packages. With that many hosted packages, it is almost
> certainly a haven for some undetected vulnerabilities. Knowing which
> packages have been audited — at least in a cursory fashion — could be used
> as a further criterion to use when deciding which packages to consider
> using on a project.
>
> So, does something already exist (pointers appreciated)? Thx...
>
> Skip
> --
> https://mail.python.org/mailman/listinfo/python-list
>

More information about the Python-list mailing list