I'm preparing requests for Warehouse's code to be audited by independent security experts.* I'd love help answering these questions to fill out the forms:
* Has Warehouse been audited before? "If so please provide dates, a brief summary, who performed it, and any public outputs." (And that'll help me summarize the changes since then.) * Which repositories would we want to have audited? Off the top of my head I'm thinking we'd want Warehouse, readme_renderer, cabotage, and https://github.com/python/pypi-infra . (From there I can also determine the approximate number of lines of code.) * Does the project have any specific dates that are ideal for an audit? I believe: not particularly. As always, if you have an immediate security concern regarding PyPI, please email security at python dot org per the PyPI security policy https://pypi.org/security/ . * I'll submit these requests to https://www.opentech.fund/lab/red-team-lab and https://wiki.mozilla.org/MOSS/Secure_Open_Source ; the latter would also provide financial support for "remedial work to rectify the problems found". -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
