This vector exists today for all new stdlib modules: once added, any existing dependency could include that name to cater it to be imported on prior python versions.
Rob On Wed, 22 May 2019, 17:03 Stephen J. Turnbull, < turnbull.stephen...@u.tsukuba.ac.jp> wrote: > Christian Heimes writes: > > > It's all open source. It's up to the Python community to adopt > > packages and provide them on PyPI. > > > > Python core will not maintain and distribute the packages. I'll > > merely provide a repository with packages to help kick-starting the > > process. > > This looks to me like an opening to a special class of supply chain > attacks. I realize that PyPI is not yet particularly robust to such > attacks, and we have seen "similar name" attacks (malware uploaded > under a name similar to a popular package). ISTM that this approach > to implementing the PEP will enable "identical name" attacks. (By > download count, stdlib packages are as popular as Python. :-) > > It now appears that there's been substantial pushback against removing > packages that could be characterized as "obsolete and superseded but > still in use", so this may not be a sufficient great risk to be worth > addressing. I guess this post is already a warning to those who are > taking care of the "similar name" malware that this class of attacks > will be opened up. > > One thing we *could* do that would require moderate effort would be to > put them up on PyPI ourselves, and require that would-be maintainers > be given a (light) vetting before handing over the keys. (Maybe just > require that they be subscribers to the Dead Parrot SIG? :-) > > Steve > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/robertc%40robertcollins.net >
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
