[Python-Dev] PEP 594: Removing dead batteries from the standard library
Stephen J. Turnbull
turnbull.stephen.fw at u.tsukuba.ac.jp
Wed May 22 00:59:59 EDT 2019
Christian Heimes writes:
> It's all open source. It's up to the Python community to adopt
> packages and provide them on PyPI.
>
> Python core will not maintain and distribute the packages. I'll
> merely provide a repository with packages to help kick-starting the
> process.
This looks to me like an opening to a special class of supply chain
attacks. I realize that PyPI is not yet particularly robust to such
attacks, and we have seen "similar name" attacks (malware uploaded
under a name similar to a popular package). ISTM that this approach
to implementing the PEP will enable "identical name" attacks. (By
download count, stdlib packages are as popular as Python. :-)
It now appears that there's been substantial pushback against removing
packages that could be characterized as "obsolete and superseded but
still in use", so this may not be a sufficient great risk to be worth
addressing. I guess this post is already a warning to those who are
taking care of the "similar name" malware that this class of attacks
will be opened up.
One thing we *could* do that would require moderate effort would be to
put them up on PyPI ourselves, and require that would-be maintainers
be given a (light) vetting before handing over the keys. (Maybe just
require that they be subscribers to the Dead Parrot SIG? :-)
Steve
More information about the Python-Dev
mailing list