Hey , I wanted to check if the packages available on Pypi.org are scanned for any security vulnerabilities or not, can you please confirm. My concern is how do you control if someone uploads a malicious code on Github Prateek Mohta Data Scientist, Data and Analytics Equifax Inc. O 770-740-5756 C 404-797-3893 [cid:image002.png@01D4BF16.AE5EC860]<http://www.equifax.com/> This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
No, PyPI is an open repository, anyone can upload code. If we're informed of a malicious package, we'll remove it, but we can't make any claims to the security of individual packages. Alex On Thu, Feb 7, 2019 at 9:55 PM Prateek Mohta <Prateek.Mohta@equifax.com> wrote:
Hey ,
I wanted to check if the packages available on Pypi.org are scanned for any security vulnerabilities or not, can you please confirm.
My concern is how do you control if someone uploads a malicious code on Github
Prateek Mohta Data Scientist, Data and Analytics Equifax Inc.
O 770-740-5756 C 404-797-3893 [cid:image002.png@01D4BF16.AE5EC860]<http://www.equifax.com/>
This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved. ----------------------------- Python Security Response Team Unsubscribe: https://mail.python.org/mailman/options/psrt/alex.gaynor%40gmail.com
-- All that is necessary for evil to succeed is for good people to do nothing.
On Thu, Feb 7, 2019, at 11:55 PM, Prateek Mohta wrote:
I wanted to check if the packages available on Pypi.org are scanned for any security vulnerabilities or not, can you please confirm. As far as I know, they are not.
My concern is how do you control if someone uploads a malicious code on Github The only real control that PyPI implements is that once someone claims a name, they (or other people they designate) control what code goes under that name. So if you 'pip install django', you can trust that you're getting the package uploaded by the maintainers of the official Django project. New names can be claimed by anyone, including people who may have malicious intent. Sometimes people have uploaded malicious packages with names similar to popular packages, in the hope that people will make a typo and install the malicious code. These are removed when someone notices them (and some obvious names are now blocked), but there's no guarantee that PyPI is free of malicious packages. In summary: PyPI is infrastructure to distribute Python packages. It doesn't try to answer the question "is this safe to install?"
I forgot to mention that there is work/discussion about supporting code signing, in PEPs 458 and 480. But it's a complicated topic, and code signing is not the silver bullet that some commentators seem to think it is. On Fri, Feb 8, 2019, at 12:10 PM, Thomas Kluyver wrote:
On Thu, Feb 7, 2019, at 11:55 PM, Prateek Mohta wrote:
I wanted to check if the packages available on Pypi.org are scanned for any security vulnerabilities or not, can you please confirm.> As far as I know, they are not.
My concern is how do you control if someone uploads a malicious code on Github> The only real control that PyPI implements is that once someone claims a name, they (or other people they designate) control what code goes under that name. So if you 'pip install django', you can trust that you're getting the package uploaded by the maintainers of the official Django project.> New names can be claimed by anyone, including people who may have malicious intent. Sometimes people have uploaded malicious packages with names similar to popular packages, in the hope that people will make a typo and install the malicious code. These are removed when someone notices them (and some obvious names are now blocked), but there's no guarantee that PyPI is free of malicious packages.> In summary: PyPI is infrastructure to distribute Python packages. It doesn't try to answer the question "is this safe to install?"
On Fri, Feb 8, 2019, 6:18 AM Thomas Kluyver <thomas@kluyver.me.uk wrote:
I forgot to mention that there is work/discussion about supporting code signing, in PEPs 458 and 480. But it's a complicated topic, and code signing is not the silver bullet that some commentators seem to think it is.
Yeah, I can sign malicious code just as well as sign normal code. Plus, there's the difficulty of what exactly defines malicious code? Config management tools are legit, but if I installed them on your machine without your consent and controlled then, surprise! Now they're malicious! So... Difficult topic, yeah. You and your organization just have to determine how much risk you're comfortable with. On the plus side most Python packages are open source so you can just see what the code is doing, making security audits easier. -W
On 2/8/19 3:09 PM, Wayne Werner wrote:
On Fri, Feb 8, 2019, 6:18 AM Thomas Kluyver <thomas@kluyver.me.uk <mailto:thomas@kluyver.me.uk> wrote:
__ I forgot to mention that there is work/discussion about supporting code signing, in PEPs 458 and 480. But it's a complicated topic, and code signing is not the silver bullet that some commentators seem to think it is.
Yeah, I can sign malicious code just as well as sign normal code.
Plus, there's the difficulty of what exactly defines malicious code? Config management tools are legit, but if I installed them on your machine without your consent and controlled then, surprise! Now they're malicious!
So... Difficult topic, yeah. You and your organization just have to determine how much risk you're comfortable with.
On the plus side most Python packages are open source so you can just see what the code is doing, making security audits easier.
Just make sure you check the code you actually install. PyPI doesn't enforce that "matching" wheels and sdists contain the same code, or that they contain code from any linked GitHub repository, etc.
participants (5)
-
Alex Gaynor -
Petr Viktorin -
Prateek Mohta -
Thomas Kluyver -
Wayne Werner