Fwd: Do projects exist to audit PyPI-hosted packages?
Mats Wichmann
mats at wichmann.us
Fri May 6 15:00:24 EDT 2022
On 5/6/22 09:24, Sam Ezeh wrote:
> ---------- Forwarded message ---------
> From: Sam Ezeh <sam.z.ezeh at gmail.com>
> Date: Fri, 6 May 2022, 15:29
> Subject: Re: Do projects exist to audit PyPI-hosted packages?
> To: Skip Montanaro <skip.montanaro at gmail.com>
>
>
> I've had similar thoughts in the past. I don't know of anything but I
> wonder if repositiories for other languages might have something to deal
> with it.
>
> A related problem is that even if a package is maintained by somebody with
> good intentions, the account might be hijacked by a malicious actor and
> since PyPi is separate from source control, people might not be able to
> find out easily and malware could spread through PyPi.
FWIW, there's talk of mandating MFA or appropriately scoped tokens to
upload from a PyPi account to cut down on hijacking chances. As I
understand it, a concern that has slowed this is that sometimes a
"release" involves a ton of actual package uploads and that could
involve considerable manual overhead if a 2FA sequence were required for
each one. Meanwhile, individual projects can now require 2FA in order
for owners to do anything "administrative".
Probably others understand the current state of play better here....
More information about the Python-list
mailing list