[Python-Dev] PEP 594: Removing dead batteries from the standard library

Christian Heimes christian at python.org
Wed May 22 08:19:02 EDT 2019

On 22/05/2019 06.59, Stephen J. Turnbull wrote:
> Christian Heimes writes:
>  > It's all open source. It's up to the Python community to adopt
>  > packages and provide them on PyPI.
>  > 
>  > Python core will not maintain and distribute the packages. I'll
>  > merely provide a repository with packages to help kick-starting the
>  > process.
> This looks to me like an opening to a special class of supply chain
> attacks.  I realize that PyPI is not yet particularly robust to such
> attacks, and we have seen "similar name" attacks (malware uploaded
> under a name similar to a popular package).  ISTM that this approach
> to implementing the PEP will enable "identical name" attacks.  (By
> download count, stdlib packages are as popular as Python. :-)

I don't consider this an argument against my proposal, but an argument in favor of improving PyPI.

I propose a deal: If you get PEP 453 (ensurepip) revoked, ensurepip removed from the standard library, and the recommendation for the requests package on urllib.request replaced with a big, fat security warning, then I'll reconsider my proposal to recommend PyPI.


My PEP acts in good faith. As long as CPython's stdlib ships pip and embraces PyPI, I don't see any reason to distrust PyPI. Yes, PyPI is not Fort Knox. In my humble opinion it's more than secure enough for my proposal.


More information about the Python-Dev mailing list