> On May 4, 2017, at 4:41 PM, Bruno Rocha <rochacbr...@gmail.com> wrote: > > Hi, > > I just read this on reddit[0], a thread asking if PyPI packages are audited > and somebody pointed the `python-nation`[1] which is a harmful and useless > module, installing itself and sending the `/etc/passwd` content to external > endpoint. > > The app receiving the data is hosted at http://python-nation.herokuapp.com > > and as the PSF mission [2] says > > The mission of the Python Software Foundation is to promote, protect, and > advance the Python programming language > > I wonder if there are some workgroup at PSF to handle this? and not only the > specific case of `python-nation` which should be deleted and the user banned > maybe, But also to handle the audit of other packages? > > > [0] > https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/ > [1] > https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/dh4uyf8/ > [2] https://www.python.org/psf/mission/
Specifically re: the vector of running code at install time, wheels can help with this though I don't think there is a good way to tell pip to ignore non-wheel builds. But even then, the whole point is that you're downloading code from the internet :) If you want to discuss this further I recommend the distutils-sig mailing list. --Noah
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ PSF-Community mailing list PSF-Community@python.org https://mail.python.org/mailman/listinfo/psf-community
