Hello, hope you're doing well. I greatly appreciate the effort of you people to make open source projects like you do, but I must ask. I have heard that security is quite lax when installing modules using the most popular sites for Python modules. Would you know of how I would protect myself more from potentially malicious fakes of popular Python modules?
The main thing for you to do is to double-check all the names you type in *before* you install anything. Most of the "security" issues come down to people trying to catch misspellings ("typo-squatting"), so if you've spelled everything correctly, you'll get the packages you expected. If you don't even trust *those* packages, or their dependencies, you're signing up for a whole lot more work (reviewing code, manually creating a private mirror, curation, etc.). Ultimately it will be up to you to decide who you trust and how much you trust them. I believe the infrastructure itself to be trustworthy, and most of the people publishing popular packages are trustworthy. But ultimately you're on your own right now for detecting impersonation. Cheers, Steve On 9/17/2021 5:13 PM, Sonic Emitter3000 wrote:
Hello, hope you're doing well. I greatly appreciate the effort of you people to make open source projects like you do, but I must ask.
I have heard that security is quite lax when installing modules using the most popular sites for Python modules. Would you know of how I would protect myself more from potentially malicious fakes of popular Python modules?
Awesome, thanks for the information. On Thu, Sep 23, 2021, 2:11 PM Steve Dower <steve.dower@python.org> wrote:
The main thing for you to do is to double-check all the names you type in *before* you install anything. Most of the "security" issues come down to people trying to catch misspellings ("typo-squatting"), so if you've spelled everything correctly, you'll get the packages you expected.
If you don't even trust *those* packages, or their dependencies, you're signing up for a whole lot more work (reviewing code, manually creating a private mirror, curation, etc.). Ultimately it will be up to you to decide who you trust and how much you trust them.
I believe the infrastructure itself to be trustworthy, and most of the people publishing popular packages are trustworthy. But ultimately you're on your own right now for detecting impersonation.
Cheers, Steve
On 9/17/2021 5:13 PM, Sonic Emitter3000 wrote:
Hello, hope you're doing well. I greatly appreciate the effort of you people to make open source projects like you do, but I must ask.
I have heard that security is quite lax when installing modules using the most popular sites for Python modules. Would you know of how I would protect myself more from potentially malicious fakes of popular Python modules?
participants (2)
-
Sonic Emitter3000
-
Steve Dower