On Wed, May 22, 2019 at 01:59:59PM +0900, Stephen J. Turnbull wrote: > This looks to me like an opening to a special class of supply chain > attacks. [...]
> One thing we *could* do that would require moderate effort would be to > put them up on PyPI ourselves, and require that would-be maintainers > be given a (light) vetting before handing over the keys. (Maybe just > require that they be subscribers to the Dead Parrot SIG? :-) Because black hat hackers don't know how to subscribe to a SIG? *wink* I'm just gonna leave this here... https://www.ietf.org/rfc/rfc3514.txt Python is open source, anyone can fork any module from the std lib for any purposes. We can't stop that. But your earlier point about supply chain attacks is very valid. Modules we shift out of the stdlib become more vulnerable to supply chain attacks, because more people will have to download them, giving more opportunity for typo-squatter attacks. -- Steven _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
