[Python-Dev] PEP 594: Removing dead batteries from the standard library
Steven D'Aprano
steve at pearwood.info
Wed May 22 06:37:28 EDT 2019
On Wed, May 22, 2019 at 01:59:59PM +0900, Stephen J. Turnbull wrote:
> This looks to me like an opening to a special class of supply chain
> attacks.
[...]
> One thing we *could* do that would require moderate effort would be to
> put them up on PyPI ourselves, and require that would-be maintainers
> be given a (light) vetting before handing over the keys. (Maybe just
> require that they be subscribers to the Dead Parrot SIG? :-)
Because black hat hackers don't know how to subscribe to a SIG? *wink*
I'm just gonna leave this here...
https://www.ietf.org/rfc/rfc3514.txt
Python is open source, anyone can fork any module from the std lib for
any purposes. We can't stop that. But your earlier point about supply
chain attacks is very valid. Modules we shift out of the stdlib become
more vulnerable to supply chain attacks, because more people will have
to download them, giving more opportunity for typo-squatter attacks.
--
Steven
More information about the Python-Dev
mailing list