[Python-Dev] PEP 594: Removing dead batteries from the standard library

Steven D'Aprano steve at pearwood.info
Wed May 22 06:37:28 EDT 2019

On Wed, May 22, 2019 at 01:59:59PM +0900, Stephen J. Turnbull wrote:

> This looks to me like an opening to a special class of supply chain
> attacks.

> One thing we *could* do that would require moderate effort would be to
> put them up on PyPI ourselves, and require that would-be maintainers
> be given a (light) vetting before handing over the keys.  (Maybe just
> require that they be subscribers to the Dead Parrot SIG? :-)

Because black hat hackers don't know how to subscribe to a SIG? *wink*

I'm just gonna leave this here... 


Python is open source, anyone can fork any module from the std lib for
any purposes. We can't stop that. But your earlier point about supply 
chain attacks is very valid. Modules we shift out of the stdlib become 
more vulnerable to supply chain attacks, because more people will have 
to download them, giving more opportunity for typo-squatter attacks.


More information about the Python-Dev mailing list