Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Go to Heaven for the climate, Hell for the company." -- Mark Twain

devel / comp.lang.python / Do projects exist to audit PyPI-hosted packages?

SubjectAuthor
o Do projects exist to audit PyPI-hosted packages?Skip Montanaro

1
Do projects exist to audit PyPI-hosted packages?

<mailman.320.1651842446.20749.python-list@python.org>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=18147&group=comp.lang.python#18147

  copy link   Newsgroups: comp.lang.python
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: skip.mon...@gmail.com (Skip Montanaro)
Newsgroups: comp.lang.python
Subject: Do projects exist to audit PyPI-hosted packages?
Date: Fri, 6 May 2022 08:06:57 -0500
Lines: 42
Message-ID: <mailman.320.1651842446.20749.python-list@python.org>
References: <CANc-5UxxEwvg7GtftY0RAs3_EkPdyTcRP6g=sAcZCCT2Jso8mw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Trace: news.uni-berlin.de tnSveLGAAfKHUnBam0ldFgFfPlxk/9+FoP9uaHtph+1A==
Return-Path: <skip.montanaro@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=gmail.com header.i=@gmail.com header.b=iJgzMnh2;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.015
X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'url-ip:140.82/16': 0.03;
'(for': 0.05; 'bunch': 0.05; 'pypi': 0.05; 'environment,': 0.09;
'fact,': 0.09; 'hosted': 0.09; 'macos': 0.09;
'received:209.85.219': 0.09; 'subject:packages': 0.09; 'url-
ip:151.101.0.223/32': 0.09; 'url-ip:151.101.128.223/32': 0.09;
'url-ip:151.101.192.223/32': 0.09; 'url-ip:151.101.64.223/32':
0.09; 'url:github': 0.14; 'that.': 0.15; 'url-ip:140/8': 0.15;
'be,': 0.16; 'bits': 0.16; 'found.': 0.16; 'hosts': 0.16;
'packages,': 0.16; 'packages.': 0.16; 'sleep,': 0.16;
'subject:projects': 0.16; 'url:project': 0.16; 'url:pypi': 0.16;
'problem': 0.16; 'python': 0.16; 'github': 0.17; 'solve': 0.19;
'to:addr:python-list': 0.20; 'way.': 0.22; '\xe2\x80\x94': 0.22;
'code': 0.23; '(and': 0.25; 'suspect': 0.26; 'project.': 0.27;
'computer': 0.29; 'recently': 0.29; 'code,': 0.31; 'packages':
0.31; 'issues.': 0.32; 'to:name:python': 0.32; 'message-
id:@mail.gmail.com': 0.32; 'but': 0.32; "i'm": 0.33; 'there':
0.33; 'windows': 0.34; 'package': 0.34; 'received:google.com':
0.34; 'runs': 0.35; 'from:addr:gmail.com': 0.35; 'people': 0.36;
'currently': 0.37; 'really': 0.37; 'using': 0.37; "it's": 0.37;
'received:209.85': 0.37; 'author': 0.37; 'could': 0.38; 'put':
0.38; '8bit%:14': 0.38; 'received:209': 0.39; 'two': 0.39;
'least': 0.39; 'mentioned': 0.39; 'use': 0.39; 'wrote': 0.39;
'something': 0.40; "there's": 0.61; 'url-ip:151.101.0/24': 0.62;
'url-ip:151.101.128/24': 0.62; 'url-ip:151.101.192/24': 0.62;
'url-ip:151.101.64/24': 0.62; 'hours': 0.63; 'skip:k 10': 0.64;
'activity': 0.64; 'ago.': 0.64; 'url:watch': 0.64; 'upon': 0.64;
'saw': 0.65; 'tool': 0.65; 'well': 0.65; 'years': 0.65; 'back':
0.67; 'away': 0.67; 'further': 0.69; 'times': 0.69; 'knowing':
0.71; 'attention': 0.71; 'note:': 0.71; "you'll": 0.73;
'stumbled': 0.76; 'tracking': 0.76; 'out,': 0.78; 'monitor': 0.81;
'activity,': 0.84; 'activity.': 0.84; 'mouse': 0.84; 'url:src':
0.84; 'stars': 0.91; 'tracked': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:from:date:message-id:subject:to;
bh=9GCSqd0mKcOtfDRsFfG13zQQkeEPIYxgj6IrULEI0L8=;
b=iJgzMnh2kHP1KTkuWRsJdL6qFFlO9UccX8w5dAhDC24KuS7QmvCmL1bMIHHWB3bhRZ
saXkPWltisgqXrNgEpMKy8zcHf5TAXilUpY8ArsVhgHJZhQPI2LIEJYQIROlydc4kbp5
a9puWnfeWWH/F6vh16a4xrH2cufzIm3gIiI2wDUdfLngor2KvKK0zgBPOcW5FK9dArSz
0ur6XU5HygGAiiG1DLZr8ZqJS83sNfAnpRWQdxU+IFwUanb7bdyNvbBfHus0fIN1zgr6
44f0BJB3LqlKPY3zQQp7lDOuCBPwaFP9krabRiPCh3yCbtdUQe3xn08Z2LBqO8mEAI+N
x1ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=9GCSqd0mKcOtfDRsFfG13zQQkeEPIYxgj6IrULEI0L8=;
b=5sRmbywA/8fAE03FDKoutjK81yrqRRX6ancG50LaeSCaMimSJeAfFvUls6Dg9stzE3
h3dCblOYq312PaU6I7VjBjSVl0DQc/XjsPk23i4rMxTbMA/UBCNJZxiwv23/gfwmpBT1
EuFC5ISDNDSHk9xb5TgNsRuuKg2azVMnJo9sRugaKrsBhkHnw14utsitD7apt6Yoo+Ns
42ZCIiJIp5CDYkisikMWK8TBEgs+rcbFg1aNaCE5xCEKo/QvYGQQ5KFQy5dh52DSsLBS
pEY/9HIfJ5Mciyu7cMlu5scMcZ2TLwDNus1EjDl5J/qH7NQH5SYUbKy8El67S6jFMyEH
1/Rw==
X-Gm-Message-State: AOAM532kkjhAgMHxAAsOMKNrSiWYRtO83VEcgKpHH/4qphdDPvBK7+9O
av+5/wAJDtxbPNC6pNHCp01UoIr/aP1RhyWbd6M9+8mJpKW+
X-Google-Smtp-Source: ABdhPJykAMggizGrLpkCbmdao0lLbNjXc05sqIcuPwz/Ei5+0TBBNuysDCHlOKCl9PrrsnomEQHAXzUTubPPGRmEl/0=
X-Received: by 2002:a25:1b09:0:b0:648:3775:95aa with SMTP id
b9-20020a251b09000000b00648377595aamr2338565ybb.470.1651842443267; Fri, 06
May 2022 06:07:23 -0700 (PDT)
X-Content-Filtered-By: Mailman/MimeDel 2.1.39
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CANc-5UxxEwvg7GtftY0RAs3_EkPdyTcRP6g=sAcZCCT2Jso8mw@mail.gmail.com>
 by: Skip Montanaro - Fri, 6 May 2022 13:06 UTC

I woke with a start in what amounted to the middle of the night (I really
need to get about three more hours of sleep, but you'll understand why I
was awake to write this).

Many years ago, so as to preserve my wrists, I wrote a tool
<https://github.com/smontanaro/python-bits/blob/main/src/watch.py> to
monitor mouse and keyboard activity. It tells me when to rest. I use it
when I have problems, then put it away until it's needed again. I have
resurrected it a few times over the years, most recently a month or two
ago. Having never been all that fond of how I tracked keyboard and mouse
activity, I was happy when I stumbled upon pynput
<https://pypi.org/project/pynput/>. "Yay!", I thought. My worries are over.

Then extremely early this morning I woke thinking, "Damn, this runs on my
computer and it can see my mouse and keyboard activity. How do I know it's
not stealing my keystrokes?" Not going back to sleep after that. So, I'm
going through the code (and the Xlib package on which it relies) to make
myself more comfortable that there are no issues. Note: I am *most
certainly not* accusing the pynput author of any mischief. In fact, I
suspect there's no problem with the package. It's got a bunch of stars and
plenty of forks on GitHub (for what that's worth). I suspect the code has
had plenty of eyeballs looking at it. Still, I don't really know how well
vetted it might be, so I have no assurances of that. I saw it mentioned
somewhere (discuss I think?), checked it out, and thought it would solve my
activity tracking in a cross-platform way. (I currently only use an Xorg
environment, so while I am looking at the code, I'm not paying attention to
the Windows or MacOS bits either.)

This got me thinking. If I'm curious about pynput, might other people be as
well? What about other packages? I'm actually not worried about Python
proper or vulnerabilities which have already been found
<https://github.com/pypa/advisory-database>. PyPI currently advertises that
it hosts over 373k packages. With that many hosted packages, it is almost
certainly a haven for some undetected vulnerabilities. Knowing which
packages have been audited — at least in a cursory fashion — could be used
as a further criterion to use when deciding which packages to consider
using on a project.

So, does something already exist (pointers appreciated)? Thx...

Skip

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor