[Python-Dev] PEP 594: Removing dead batteries from the standard library
Robert Collins
robertc at robertcollins.net
Wed May 22 01:40:48 EDT 2019
This vector exists today for all new stdlib modules: once added, any
existing dependency could include that name to cater it to be imported on
prior python versions.
Rob
On Wed, 22 May 2019, 17:03 Stephen J. Turnbull, <
turnbull.stephen.fw at u.tsukuba.ac.jp> wrote:
> Christian Heimes writes:
>
> > It's all open source. It's up to the Python community to adopt
> > packages and provide them on PyPI.
> >
> > Python core will not maintain and distribute the packages. I'll
> > merely provide a repository with packages to help kick-starting the
> > process.
>
> This looks to me like an opening to a special class of supply chain
> attacks. I realize that PyPI is not yet particularly robust to such
> attacks, and we have seen "similar name" attacks (malware uploaded
> under a name similar to a popular package). ISTM that this approach
> to implementing the PEP will enable "identical name" attacks. (By
> download count, stdlib packages are as popular as Python. :-)
>
> It now appears that there's been substantial pushback against removing
> packages that could be characterized as "obsolete and superseded but
> still in use", so this may not be a sufficient great risk to be worth
> addressing. I guess this post is already a warning to those who are
> taking care of the "similar name" malware that this class of attacks
> will be opened up.
>
> One thing we *could* do that would require moderate effort would be to
> put them up on PyPI ourselves, and require that would-be maintainers
> be given a (light) vetting before handing over the keys. (Maybe just
> require that they be subscribers to the Dead Parrot SIG? :-)
>
> Steve
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/robertc%40robertcollins.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20190522/251cec4f/attachment.html>
More information about the Python-Dev
mailing list