Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Were there no women, men might live like gods." -- Thomas Dekker

devel / comp.lang.python / Fwd: Do projects exist to audit PyPI-hosted packages?

SubjectAuthor
o Fwd: Do projects exist to audit PyPI-hosted packages?Sam Ezeh

1
Fwd: Do projects exist to audit PyPI-hosted packages?

<mailman.322.1651850689.20749.python-list@python.org>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=18149&group=comp.lang.python#18149

  copy link   Newsgroups: comp.lang.python
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: sam.z.e...@gmail.com (Sam Ezeh)
Newsgroups: comp.lang.python
Subject: Fwd: Do projects exist to audit PyPI-hosted packages?
Date: Fri, 6 May 2022 16:24:33 +0100
Lines: 74
Message-ID: <mailman.322.1651850689.20749.python-list@python.org>
References: <CANc-5UxxEwvg7GtftY0RAs3_EkPdyTcRP6g=sAcZCCT2Jso8mw@mail.gmail.com>
<CAD+b3HjshbJ6uBWephMnATA5CNNV5KXha=znPDJBqFBokE0ctQ@mail.gmail.com>
<CAD+b3HhxvCacWD5c4DsafYbVb_vigUMXCRCem8732WthWtMvTg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Trace: news.uni-berlin.de aU10F7c6ZXfs2JsqThYoFwDZqqtX5j9fDbxGSKXHt/gA==
Return-Path: <sam.z.ezeh@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=gmail.com header.i=@gmail.com header.b=k0+4okIy;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.034
X-Spam-Evidence: '*H*': 0.93; '*S*': 0.00; 'url-ip:140.82/16': 0.03;
'(for': 0.05; 'bunch': 0.05; 'pypi': 0.05; 'environment,': 0.09;
'fact,': 0.09; 'hosted': 0.09; 'macos': 0.09; 'subject:packages':
0.09; 'url-ip:151.101.0.223/32': 0.09; 'url-
ip:151.101.128.223/32': 0.09; 'url-ip:151.101.192.223/32': 0.09;
'url-ip:151.101.64.223/32': 0.09; 'url:github': 0.14;
'url:mailman': 0.15; 'that.': 0.15; 'url-ip:140/8': 0.15; '2022,':
0.16; 'be,': 0.16; 'bits': 0.16; 'hosts': 0.16; 'montanaro': 0.16;
'packages,': 0.16; 'packages.': 0.16; 'pypi.': 0.16; 'sleep,':
0.16; 'subject:projects': 0.16; 'url:project': 0.16; 'url:pypi':
0.16; 'wrote:': 0.16; 'problem': 0.16; 'python': 0.16; 'github':
0.17; 'solve': 0.19; 'to:addr:python-list': 0.20; "i've": 0.22;
'languages': 0.22; 'fri,': 0.22; 'way.': 0.22; '\xe2\x80\x94':
0.22; 'code': 0.23; '(and': 0.25; 'anything': 0.25; 'url-
ip:188.166.95.178/32': 0.25; 'url-ip:188.166.95/24': 0.25;
'url:listinfo': 0.25; 'url-ip:188.166/16': 0.25; 'subject:Fwd':
0.26; 'suspect': 0.26; 'project.': 0.27; 'computer': 0.29;
'recently': 0.29; 'code,': 0.31; 'packages': 0.31; 'url-ip:188/8':
0.31; '---------': 0.32; 'issues.': 0.32; 'received:209.85.214':
0.32; 'message-id:@mail.gmail.com': 0.32; 'but': 0.32; "i'm":
0.33; 'there': 0.33; '----------': 0.33; 'windows': 0.34; 'able':
0.34; 'package': 0.34; 'header:In-Reply-To:1': 0.34;
'received:google.com': 0.34; 'runs': 0.35; 'from:addr:gmail.com':
0.35; 'people': 0.36; 'source': 0.36; 'currently': 0.37; 'really':
0.37; 'using': 0.37; "it's": 0.37; 'received:209.85': 0.37;
'author': 0.37; 'could': 0.38; 'put': 0.38; 'received:209': 0.39;
'two': 0.39; 'least': 0.39; 'date:': 0.39; 'mentioned': 0.39;
'use': 0.39; 'wrote': 0.39; 'something': 0.40; "there's": 0.61;
'from:': 0.62; 'to:': 0.62; 'url-ip:151.101.0/24': 0.62; 'url-
ip:151.101.128/24': 0.62; 'url-ip:151.101.192/24': 0.62; 'url-
ip:151.101.64/24': 0.62; 'hours': 0.63; 'skip:k 10': 0.64;
'activity': 0.64; 'ago.': 0.64; 'malware': 0.64; 're:': 0.64;
'url:watch': 0.64; 'upon': 0.64; 'saw': 0.65; 'similar': 0.65;
'tool': 0.65; 'well': 0.65; 'years': 0.65; 'back': 0.67; 'away':
0.67; 'further': 0.69; 'actor': 0.69; 'control,': 0.69;
'malicious': 0.69; 'times': 0.69; 'knowing': 0.71; 'attention':
0.71; 'note:': 0.71; 'deal': 0.73; "you'll": 0.73; 'audit': 0.76;
'stumbled': 0.76; 'tracking': 0.76; 'out,': 0.78; 'monitor': 0.81;
'activity,': 0.84; 'activity.': 0.84; 'mouse': 0.84;
'received:209.85.214.195': 0.84; 'received:mail-
pl1-f195.google.com': 0.84; 'url:src': 0.84; 'somebody': 0.91;
'stars': 0.91; 'tracked': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=PdycbBSKbKD+/Fvs5L6/QXlIOBB6QL8dADoDCY1CF1o=;
b=k0+4okIyBgiR+4euuRopOtFBG/i+vmRgZqE7H5x8mgQLhjBNTD+fGBReBtq63+kocR
fsEY9egc+5c1fPSAZuW00E+H22Aw1Z7fuRdwX+eahN3Zlj2QPRibhXDlFagg55D23k8+
teRJ52UtXMomlsDJ+RDPiyUNZZCmF1OiqCAJnqL4aXOXgb1ih19alS6SF0Wz3BRfBXky
zMIsXIShBF9ZCcIojcUoD+0s4Tf6TXNuhh8aoB7J6upJIiVM5ORLkutQkR7Grg0UMa5F
UAqtJb9QexiKzUhkbWIlp2RvdaCdrFmbROPnhrhDrIzY2X3gvW7s/z3w8IcIa++W+JqN
vSsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=PdycbBSKbKD+/Fvs5L6/QXlIOBB6QL8dADoDCY1CF1o=;
b=eoc6nM3vyKCrHaAABWf7VpGYzM67a8kW2KJhKJBkIbVdDFec4cMcPD8fHVbroiPvEG
muDXJK8Whm1PKQ44EQQCiGtIe4hRdrPVkZzWk4MQ/fcDOf1vbjL8M5/eiJVWNHf0ap6R
Rv2ULa3OXN/HVK8MUeSFqnbBwt9I+Bim/ieESxz11KW6yxUQhg6K8TMHxKZHHccZQkVb
oD4EPZHoS9+f04k5x3VIFefOu+n1x16WUNGnq2Hvky/C5J7bIQdqpinie3TC7/43Ur7z
S3kdxkktQiyXwMELXtOkm3hT+HnRCjNatLevpe9tlwadYjcM53I33zQFUpEDzczvtqkX
i6bQ==
X-Gm-Message-State: AOAM530WtQd23p8PRGn+mG8Itgy4mQVvfIfXtQhq4UW22IR794nevWtG
/LnoVtmGFv+tm2iLjU707kuqEXynEWJhEqUUBdZNAKM1
X-Google-Smtp-Source: ABdhPJwUDIuV7r7r4+CdTK0kDyP0OO7rBZ73II62u75SIPySx3b20IQUILHHqbNCjoS98W7d7Ykjy+bsrCriNoqSBvA=
X-Received: by 2002:a17:90a:7c4c:b0:1dc:26a1:b82f with SMTP id
e12-20020a17090a7c4c00b001dc26a1b82fmr4700526pjl.148.1651850686251; Fri, 06
May 2022 08:24:46 -0700 (PDT)
In-Reply-To: <CAD+b3HjshbJ6uBWephMnATA5CNNV5KXha=znPDJBqFBokE0ctQ@mail.gmail.com>
X-Content-Filtered-By: Mailman/MimeDel 2.1.39
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CAD+b3HhxvCacWD5c4DsafYbVb_vigUMXCRCem8732WthWtMvTg@mail.gmail.com>
X-Mailman-Original-References: <CANc-5UxxEwvg7GtftY0RAs3_EkPdyTcRP6g=sAcZCCT2Jso8mw@mail.gmail.com>
<CAD+b3HjshbJ6uBWephMnATA5CNNV5KXha=znPDJBqFBokE0ctQ@mail.gmail.com>
 by: Sam Ezeh - Fri, 6 May 2022 15:24 UTC

---------- Forwarded message ---------
From: Sam Ezeh <sam.z.ezeh@gmail.com>
Date: Fri, 6 May 2022, 15:29
Subject: Re: Do projects exist to audit PyPI-hosted packages?
To: Skip Montanaro <skip.montanaro@gmail.com>

I've had similar thoughts in the past. I don't know of anything but I
wonder if repositiories for other languages might have something to deal
with it.

A related problem is that even if a package is maintained by somebody with
good intentions, the account might be hijacked by a malicious actor and
since PyPi is separate from source control, people might not be able to
find out easily and malware could spread through PyPi.

Kind regards,
Sam Ezeh

On Fri, 6 May 2022, 14:08 Skip Montanaro, <skip.montanaro@gmail.com> wrote:

> I woke with a start in what amounted to the middle of the night (I really
> need to get about three more hours of sleep, but you'll understand why I
> was awake to write this).
>
> Many years ago, so as to preserve my wrists, I wrote a tool
> <https://github.com/smontanaro/python-bits/blob/main/src/watch.py> to
> monitor mouse and keyboard activity. It tells me when to rest. I use it
> when I have problems, then put it away until it's needed again. I have
> resurrected it a few times over the years, most recently a month or two
> ago. Having never been all that fond of how I tracked keyboard and mouse
> activity, I was happy when I stumbled upon pynput
> <https://pypi.org/project/pynput/>. "Yay!", I thought. My worries are
> over.
>
> Then extremely early this morning I woke thinking, "Damn, this runs on my
> computer and it can see my mouse and keyboard activity. How do I know it's
> not stealing my keystrokes?" Not going back to sleep after that. So, I'm
> going through the code (and the Xlib package on which it relies) to make
> myself more comfortable that there are no issues. Note: I am *most
> certainly not* accusing the pynput author of any mischief. In fact, I
> suspect there's no problem with the package. It's got a bunch of stars and
> plenty of forks on GitHub (for what that's worth). I suspect the code has
> had plenty of eyeballs looking at it. Still, I don't really know how well
> vetted it might be, so I have no assurances of that. I saw it mentioned
> somewhere (discuss I think?), checked it out, and thought it would solve my
> activity tracking in a cross-platform way. (I currently only use an Xorg
> environment, so while I am looking at the code, I'm not paying attention to
> the Windows or MacOS bits either.)
>
> This got me thinking. If I'm curious about pynput, might other people be as
> well? What about other packages? I'm actually not worried about Python
> proper or vulnerabilities which have already been found
> <https://github.com/pypa/advisory-database>. PyPI currently advertises
> that
> it hosts over 373k packages. With that many hosted packages, it is almost
> certainly a haven for some undetected vulnerabilities. Knowing which
> packages have been audited — at least in a cursory fashion — could be used
> as a further criterion to use when deciding which packages to consider
> using on a project.
>
> So, does something already exist (pointers appreciated)? Thx...
>
> Skip
> --
> https://mail.python.org/mailman/listinfo/python-list
>

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor