Christian Heimes writes: > It's all open source. It's up to the Python community to adopt > packages and provide them on PyPI. > > Python core will not maintain and distribute the packages. I'll > merely provide a repository with packages to help kick-starting the > process.
This looks to me like an opening to a special class of supply chain attacks. I realize that PyPI is not yet particularly robust to such attacks, and we have seen "similar name" attacks (malware uploaded under a name similar to a popular package). ISTM that this approach to implementing the PEP will enable "identical name" attacks. (By download count, stdlib packages are as popular as Python. :-) It now appears that there's been substantial pushback against removing packages that could be characterized as "obsolete and superseded but still in use", so this may not be a sufficient great risk to be worth addressing. I guess this post is already a warning to those who are taking care of the "similar name" malware that this class of attacks will be opened up. One thing we *could* do that would require moderate effort would be to put them up on PyPI ourselves, and require that would-be maintainers be given a (light) vetting before handing over the keys. (Maybe just require that they be subscribers to the Dead Parrot SIG? :-) Steve _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com