Awesome, thanks for the information.
On Thu, Sep 23, 2021, 2:11 PM Steve Dower wrote:
> The main thing for you to do is to double-check all the names you type
> in *before* you install anything. Most of the "security" issues come
> down to people trying to catch misspellings ("typo-squatting"), so if
> you've spelled everything correctly, you'll get the packages you expected.
>
> If you don't even trust *those* packages, or their dependencies, you're
> signing up for a whole lot more work (reviewing code, manually creating
> a private mirror, curation, etc.). Ultimately it will be up to you to
> decide who you trust and how much you trust them.
>
> I believe the infrastructure itself to be trustworthy, and most of the
> people publishing popular packages are trustworthy. But ultimately
> you're on your own right now for detecting impersonation.
>
> Cheers,
> Steve
>
> On 9/17/2021 5:13 PM, Sonic Emitter3000 wrote:
> > Hello, hope you're doing well. I greatly appreciate the effort of you
> > people to make open source projects like you do, but I must ask.
> >
> > I have heard that security is quite lax when installing modules using
> > the most popular sites for Python modules. Would you know of how I would
> > protect myself more from potentially malicious fakes of popular Python
> > modules?
> >
>
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/archives/list/distutils-sig@python.org/message/S3NQFRSRAMIKF6FWBLALPBQ4GBSM4HI5/
