[Python-Dev] PEP 594: Removing dead batteries from the standard library
On 22/05/2019 06.59, Stephen J. Turnbull wrote:
> Christian Heimes writes:
> > It's all open source. It's up to the Python community to adopt
> > packages and provide them on PyPI.
> > Python core will not maintain and distribute the packages. I'll
> > merely provide a repository with packages to help kick-starting the
> > process.
> This looks to me like an opening to a special class of supply chain
> attacks. I realize that PyPI is not yet particularly robust to such
> attacks, and we have seen "similar name" attacks (malware uploaded
> under a name similar to a popular package). ISTM that this approach
> to implementing the PEP will enable "identical name" attacks. (By
> download count, stdlib packages are as popular as Python. :-)
I don't consider this an argument against my proposal, but an argument in favor of improving PyPI.
I propose a deal: If you get PEP 453 (ensurepip) revoked, ensurepip removed from the standard library, and the recommendation for the requests package on urllib.request replaced with a big, fat security warning, then I'll reconsider my proposal to recommend PyPI.
My PEP acts in good faith. As long as CPython's stdlib ships pip and embraces PyPI, I don't see any reason to distrust PyPI. Yes, PyPI is not Fort Knox. In my humble opinion it's more than secure enough for my proposal.