Do projects exist to audit PyPI-hosted packages?
Skip Montanaro
skip.montanaro at gmail.com
Fri May 6 13:36:26 EDT 2022
>
> A related problem is that even if a package is maintained by somebody with
> good intentions, the account might be hijacked by a malicious actor and
> since PyPi is separate from source control, people might not be able to
> find out easily and malware could spread through PyPi.
>
I hadn't considered that. Some sort of authenticated connection between the
source code hosting service and the PyPI user posting the package would be
nice.
<ramble mode="on">
Some other (only tangentially related) stuff occurs to me as I search for
useful bits...
I'd kinda be curious what hosting services other than GitHub or GitLab are
in common use. GNU Savannah? SourceForge? PyPI relevance isn't a terrific
indicator (I assume it uses Libraries.io's SourceRank to get a relevance
score), but it's still some kind of indicator how useful a package is.
Perhaps the PyPI BigQuery stuff has hosting info. I've not dug into it.
(Thinking that obscure hosting service might be a small knock against a
package, but that's just a thought. I realize not everyone is happy with
corporate hosting services.)
Having a decent idea what functional alternatives are out there to a
particular package would be nice as well. Again, considering pynput, I hit
Google up for "python packages similar to pynput" which led me here:
https://www.libhunt.com/r/pynput
I was unaware of its existence before. I have no idea how useful it might
be for narrowly focused packages like pynput. Something with application to
a much wider community, like numpy, returns a bunch more:
https://www.libhunt.com/r/numpy
</ramble>
Skip
More information about the Python-list
mailing list