Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Measure twice, cut once.

devel / comp.lang.python / Re: Do projects exist to audit PyPI-hosted packages?

SubjectAuthor
o Re: Do projects exist to audit PyPI-hosted packages?Skip Montanaro

1
Re: Do projects exist to audit PyPI-hosted packages?

<mailman.326.1651858615.20749.python-list@python.org>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=18153&group=comp.lang.python#18153

  copy link   Newsgroups: comp.lang.python
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: skip.mon...@gmail.com (Skip Montanaro)
Newsgroups: comp.lang.python
Subject: Re: Do projects exist to audit PyPI-hosted packages?
Date: Fri, 6 May 2022 12:36:26 -0500
Lines: 40
Message-ID: <mailman.326.1651858615.20749.python-list@python.org>
References: <CANc-5UxxEwvg7GtftY0RAs3_EkPdyTcRP6g=sAcZCCT2Jso8mw@mail.gmail.com>
<CAD+b3HjshbJ6uBWephMnATA5CNNV5KXha=znPDJBqFBokE0ctQ@mail.gmail.com>
<CAD+b3HhxvCacWD5c4DsafYbVb_vigUMXCRCem8732WthWtMvTg@mail.gmail.com>
<CANc-5Uxj=XRunxieZPKQko29fZZ157gugC26aK2Z0D2R-rqfng@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: news.uni-berlin.de 03eXStkkXh5Hrhe7o/00Wwye17PTV/uMpnkL+V4NtZhQ==
Return-Path: <skip.montanaro@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=gmail.com header.i=@gmail.com header.b=g81XrjLB;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.003
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'bunch': 0.05; 'is.': 0.05;
'pypi': 0.05; '"python': 0.07; 'hosting': 0.07; 'cc:addr:python-
list': 0.09; 'gitlab': 0.09; 'received:209.85.219': 0.09;
'subject:packages': 0.09; 'that.': 0.15; '&quot;python': 0.16;
'cc:name:python': 0.16; "hadn't": 0.16; 'numpy,': 0.16; 'pypi.':
0.16; 'subject:projects': 0.16; 'unaware': 0.16; 'url:numpy':
0.16; 'wider': 0.16; 'problem': 0.16; 'github': 0.17; 'uses':
0.19; 'gnu': 0.19; 'cc:addr:python.org': 0.20; "i've": 0.22;
'focused': 0.22; 'returns': 0.22; 'code': 0.23; "i'd": 0.24;
'idea': 0.24; 'stuff': 0.25; 'cc:2**0': 0.25; 'again,': 0.26;
"isn't": 0.27; 'community,': 0.28; 'corporate': 0.29; 'packages':
0.31; 'before.': 0.31; 'everyone': 0.32; 'assume': 0.32;
'realize': 0.32; 'message-id:@mail.gmail.com': 0.32; 'but': 0.32;
'there': 0.33; 'particular': 0.33; 'able': 0.34; 'package': 0.34;
'header:In-Reply-To:1': 0.34; 'received:google.com': 0.34;
'from:addr:gmail.com': 0.35; 'people': 0.36; 'source': 0.36;
"it's": 0.37; 'received:209.85': 0.37; 'could': 0.38;
'received:209': 0.39; 'considering': 0.39; 'still': 0.40;
'something': 0.40; 'search': 0.61; 'services': 0.61; 'connection':
0.61; 'skip:m 20': 0.63; 'between': 0.63; 'service': 0.64;
'malware': 0.64; 'similar': 0.65; 'actor': 0.69; 'control,': 0.69;
'functional': 0.69; 'malicious': 0.69; 'led': 0.81; 'decent':
0.84; 'somebody': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=HSq83J+opI0QAV9K2/z2p8RnCF7Gk9VhfZBCLcjbmBM=;
b=g81XrjLBpbkVzuJom/VFSI8v2hVPDpBwmt+/ZBqR7mOVHihMcsocSl5CMMsjThsWnE
UFFqXtt1njZSvmq3scDTYEehQcBigHLsRvxdgxvw+nC4khfxt2p/aTRk1daLJ35fNtaQ
rwrkUyBGHstNkeZ0EXHQkz3qRmKXNd79DTCApNl90d+LXj0PpWenbQB20KySIntDozFv
47kNtokrNrhNkcxUaujjZuGJkjzrLfb23Ph9WAHvK1zHqtMM3zjkSZzXxj8sf9xTLhRD
yJuYYBy1BHMOUSPE9Zn8BcVgv87JcmYW5ihpA4dzTTQxhLBILmqVUUCHehGMHn01pDOJ
TeBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=HSq83J+opI0QAV9K2/z2p8RnCF7Gk9VhfZBCLcjbmBM=;
b=ktTSA3Tw2QKbefnIAzAArN1IN+DfEFwq45+8FYOsZoUji33PPQ+3rcpA3K++ST8US+
C3HvpoeanT1YW7G86BVbu13+mD8tclfnrOKj2jFBpg+X5CdqI4HYa/47PNm/gnoiUq6I
px62Nwmksf0edhF2iW4ttk8Xh9ckcpIoaU81jaQ/3hiIZJIsiHPGTUnnHynQ7xRi8XZQ
U2PFqtptbAuxcTUNLoj+Ci8d7JuwjzPC4Gh0qNNkX3/8rxkjXzsUf1boEuEJqYegwHUa
QgjU89zIusNqUvy0lxCU4Azrh2P9FTiV+IJY4QtjvwNEYIyiNqEnLfSXyv0xrYQJr0vm
sNWA==
X-Gm-Message-State: AOAM5323H39iR/+bhywg30ex291IRkPPeovXBFKK5otj8L7nNDNLIZrR
Yka4C6LTIinPdT5k4By2Gvjfg99SxRGB7+lm4phLrn4=
X-Google-Smtp-Source: ABdhPJyw7w2L+p1Zam0PUFbQGg7TRz8Mc+KYpR0CiSrHTH8+8RTQNs9gX7K569mpfeoc/hMfFHbNMjRnRHSHkESQSK8=
X-Received: by 2002:a25:bccb:0:b0:645:e18a:7f9b with SMTP id
l11-20020a25bccb000000b00645e18a7f9bmr3030455ybm.220.1651858612996; Fri, 06
May 2022 10:36:52 -0700 (PDT)
In-Reply-To: <CAD+b3HhxvCacWD5c4DsafYbVb_vigUMXCRCem8732WthWtMvTg@mail.gmail.com>
X-Content-Filtered-By: Mailman/MimeDel 2.1.39
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CANc-5Uxj=XRunxieZPKQko29fZZ157gugC26aK2Z0D2R-rqfng@mail.gmail.com>
X-Mailman-Original-References: <CANc-5UxxEwvg7GtftY0RAs3_EkPdyTcRP6g=sAcZCCT2Jso8mw@mail.gmail.com>
<CAD+b3HjshbJ6uBWephMnATA5CNNV5KXha=znPDJBqFBokE0ctQ@mail.gmail.com>
<CAD+b3HhxvCacWD5c4DsafYbVb_vigUMXCRCem8732WthWtMvTg@mail.gmail.com>
 by: Skip Montanaro - Fri, 6 May 2022 17:36 UTC

>
> A related problem is that even if a package is maintained by somebody with
> good intentions, the account might be hijacked by a malicious actor and
> since PyPi is separate from source control, people might not be able to
> find out easily and malware could spread through PyPi.
>

I hadn't considered that. Some sort of authenticated connection between the
source code hosting service and the PyPI user posting the package would be
nice.

<ramble mode="on">

Some other (only tangentially related) stuff occurs to me as I search for
useful bits...

I'd kinda be curious what hosting services other than GitHub or GitLab are
in common use. GNU Savannah? SourceForge? PyPI relevance isn't a terrific
indicator (I assume it uses Libraries.io's SourceRank to get a relevance
score), but it's still some kind of indicator how useful a package is.
Perhaps the PyPI BigQuery stuff has hosting info. I've not dug into it.
(Thinking that obscure hosting service might be a small knock against a
package, but that's just a thought. I realize not everyone is happy with
corporate hosting services.)

Having a decent idea what functional alternatives are out there to a
particular package would be nice as well. Again, considering pynput, I hit
Google up for "python packages similar to pynput" which led me here:

https://www.libhunt.com/r/pynput

I was unaware of its existence before. I have no idea how useful it might
be for narrowly focused packages like pynput. Something with application to
a much wider community, like numpy, returns a bunch more:

https://www.libhunt.com/r/numpy

</ramble>

Skip

devel / comp.lang.python / Re: Do projects exist to audit PyPI-hosted packages?

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor