[Python-Dev] PEP 594: Removing dead batteries from the standard library
This vector exists today for all new stdlib modules: once added, any
existing dependency could include that name to cater it to be imported on
prior python versions.
On Wed, 22 May 2019, 17:03 Stephen J. Turnbull, <
turnbull.stephen.fw at u.tsukuba.ac.jp> wrote:
> Christian Heimes writes:
> > It's all open source. It's up to the Python community to adopt
> > packages and provide them on PyPI.
> > Python core will not maintain and distribute the packages. I'll
> > merely provide a repository with packages to help kick-starting the
> > process.
> This looks to me like an opening to a special class of supply chain
> attacks. I realize that PyPI is not yet particularly robust to such
> attacks, and we have seen "similar name" attacks (malware uploaded
> under a name similar to a popular package). ISTM that this approach
> to implementing the PEP will enable "identical name" attacks. (By
> download count, stdlib packages are as popular as Python. :-)
> It now appears that there's been substantial pushback against removing
> packages that could be characterized as "obsolete and superseded but
> still in use", so this may not be a sufficient great risk to be worth
> addressing. I guess this post is already a warning to those who are
> taking care of the "similar name" malware that this class of attacks
> will be opened up.
> One thing we *could* do that would require moderate effort would be to
> put them up on PyPI ourselves, and require that would-be maintainers
> be given a (light) vetting before handing over the keys. (Maybe just
> require that they be subscribers to the Dead Parrot SIG? :-)
> Python-Dev mailing list
> Python-Dev at python.org
-------------- next part --------------
An HTML attachment was scrubbed...