Re: [PSF-Community] Dangerous PyPI packages and PSF

2017-05-04 Thread Noah Kantrowitz 

> On May 4, 2017, at 4:41 PM, Bruno Rocha  wrote:
> 
> Hi,
> 
> I just read this on reddit[0], a thread asking if PyPI packages are audited 
> and somebody pointed the `python-nation`[1] which is a harmful and useless 
> module, installing itself and sending the `/etc/passwd` content to external 
> endpoint.
> 
> The app receiving the data is hosted at http://python-nation.herokuapp.com
> 
> and as the PSF mission [2] says
> 
> The mission of the Python Software Foundation is to promote, protect, and 
> advance the Python programming language
> 
> I wonder if there are some workgroup at PSF to handle this? and not only the 
> specific case of `python-nation` which should be deleted and the user banned 
> maybe, But also to handle the audit of other packages?
> 
> 
> [0] 
> https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/
> [1] 
> https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/dh4uyf8/
> [2] https://www.python.org/psf/mission/

Specifically re: the vector of running code at install time, wheels can help 
with this though I don't think there is a good way to tell pip to ignore 
non-wheel builds. But even then, the whole point is that you're downloading 
code from the internet :) If you want to discuss this further I recommend the 
distutils-sig mailing list.

--Noah




signature.asc
Description: Message signed with OpenPGP
___
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community

Re: [PSF-Community] Dangerous PyPI packages and PSF

2017-05-04 Thread Gregory P. Smith 
This is not a solvable problem. IMNSHO We should never attempt to implement
pre screening of packages.

It is a good post-package-upload task for someone to try and do as a
research project.

Automated code scanning can only find already known things and similar
signatures (at which point it can have false positives) and we aren't just
talking about obfuscated source code.  PyPI hosts binary wheels made using
unreproduceable build processes on untrusted machines created from
unverifiable inputs.  Scanning services such as Google's
https://www.virustotal.com/en/about/ exist but I'm not sure that'd be of
much value to PyPI.

-gps

On Thu, May 4, 2017 at 7:28 PM Ryan Birmingham 
wrote:

> I'm not sure what effective package review would look like here. Perhaps
> we could establish an entity to screen packages on an opt-in basis, but I
> don't know if we have the resources/people for this. Automated code
> screening could and probably would miss the python nation example due to
> the unorthodox use of compressed instructions.
> Does anyone have any ideas?
>
> -Ryan Birmingham
>
> On 4 May 2017 at 20:08, Bruno Rocha  wrote:
>
>> Interesting detail, the mentioned package
>> https://pypi.python.org/pypi/python-nation/1.0.1 was created and
>> uploaded by Jacob Kaplan Moss, so I guess this is intended to be a POC, to
>> show PyPI vulnerabilities or some Infosec experiment.
>>
>> On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha 
>> wrote:
>>
>>> Hi,
>>>
>>> I just read this on reddit[0], a thread asking if PyPI packages are
>>> audited and somebody pointed the `python-nation`[1] which is a harmful and
>>> useless module, installing itself and sending the `/etc/passwd` content to
>>> external endpoint.
>>>
>>> The app receiving the data is hosted at
>>> http://python-nation.herokuapp.com
>>>
>>> and as the PSF mission [2] says
>>>
>>> The mission of the Python Software Foundation is to promote, protect,
>>> and advance the Python programming language
>>>
>>> I wonder if there are some workgroup at PSF to handle this? and not only
>>> the specific case of `python-nation` which should be deleted and the user
>>> banned maybe, But also to handle the audit of other packages?
>>>
>>>
>>> [0]
>>> https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/
>>> [1]
>>> https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/dh4uyf8/
>>> [2] https://www.python.org/psf/mission/
>>>
>>>
>>> Cheers,
>>>
>>> --
>>>
>>> *Bruno Rocha - @rochacbruno *
>>> http://brunorocha.org
>>>
>>>
>>
>>
>> --
>>
>> *Bruno Rocha - @rochacbruno *
>> http://brunorocha.org
>>
>>
>> ___
>> PSF-Community mailing list
>> PSF-Community@python.org
>> https://mail.python.org/mailman/listinfo/psf-community
>>
>>
> ___
> PSF-Community mailing list
> PSF-Community@python.org
> https://mail.python.org/mailman/listinfo/psf-community
>
___
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community

Re: [PSF-Community] Dangerous PyPI packages and PSF

2017-05-04 Thread Ryan Birmingham 
I'm not sure what effective package review would look like here. Perhaps we
could establish an entity to screen packages on an opt-in basis, but I
don't know if we have the resources/people for this. Automated code
screening could and probably would miss the python nation example due to
the unorthodox use of compressed instructions.
Does anyone have any ideas?

-Ryan Birmingham

On 4 May 2017 at 20:08, Bruno Rocha  wrote:

> Interesting detail, the mentioned package https://pypi.python.
> org/pypi/python-nation/1.0.1 was created and uploaded by
> Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI
> vulnerabilities or some Infosec experiment.
>
> On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha  wrote:
>
>> Hi,
>>
>> I just read this on reddit[0], a thread asking if PyPI packages are
>> audited and somebody pointed the `python-nation`[1] which is a harmful and
>> useless module, installing itself and sending the `/etc/passwd` content to
>> external endpoint.
>>
>> The app receiving the data is hosted at http://python-nation.heroku
>> app.com
>>
>> and as the PSF mission [2] says
>>
>> The mission of the Python Software Foundation is to promote, protect, and
>> advance the Python programming language
>>
>> I wonder if there are some workgroup at PSF to handle this? and not only
>> the specific case of `python-nation` which should be deleted and the user
>> banned maybe, But also to handle the audit of other packages?
>>
>>
>> [0] https://www.reddit.com/r/Python/comments/697da2/does_pyp
>> i_review_code_thats_uploaded/
>> [1] https://www.reddit.com/r/Python/comments/697da2/does_pyp
>> i_review_code_thats_uploaded/dh4uyf8/
>> [2] https://www.python.org/psf/mission/
>>
>>
>> Cheers,
>>
>> --
>>
>> *Bruno Rocha - @rochacbruno *
>> http://brunorocha.org
>>
>>
>
>
> --
>
> *Bruno Rocha - @rochacbruno *
> http://brunorocha.org
>
>
> ___
> PSF-Community mailing list
> PSF-Community@python.org
> https://mail.python.org/mailman/listinfo/psf-community
>
>
___
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community

Re: [PSF-Community] Dangerous PyPI packages and PSF

2017-05-04 Thread Jacqueline Kazil 
That is a great observation Bruno!

-Jackie

On Thu, May 4, 2017 at 8:08 PM, Bruno Rocha  wrote:

> Interesting detail, the mentioned package https://pypi.python.
> org/pypi/python-nation/1.0.1 was created and uploaded by
> Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI
> vulnerabilities or some Infosec experiment.
>
> On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha  wrote:
>
>> Hi,
>>
>> I just read this on reddit[0], a thread asking if PyPI packages are
>> audited and somebody pointed the `python-nation`[1] which is a harmful and
>> useless module, installing itself and sending the `/etc/passwd` content to
>> external endpoint.
>>
>> The app receiving the data is hosted at http://python-nation.heroku
>> app.com
>>
>> and as the PSF mission [2] says
>>
>> The mission of the Python Software Foundation is to promote, protect, and
>> advance the Python programming language
>>
>> I wonder if there are some workgroup at PSF to handle this? and not only
>> the specific case of `python-nation` which should be deleted and the user
>> banned maybe, But also to handle the audit of other packages?
>>
>>
>> [0] https://www.reddit.com/r/Python/comments/697da2/does_pyp
>> i_review_code_thats_uploaded/
>> [1] https://www.reddit.com/r/Python/comments/697da2/does_pyp
>> i_review_code_thats_uploaded/dh4uyf8/
>> [2] https://www.python.org/psf/mission/
>>
>>
>> Cheers,
>>
>> --
>>
>> *Bruno Rocha - @rochacbruno *
>> http://brunorocha.org
>>
>>
>
>
> --
>
> *Bruno Rocha - @rochacbruno *
> http://brunorocha.org
>
>
> ___
> PSF-Community mailing list
> PSF-Community@python.org
> https://mail.python.org/mailman/listinfo/psf-community
>
>


-- 
Jacqueline Kazil | @jackiekazil
___
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community

Re: [PSF-Community] Dangerous PyPI packages and PSF

2017-05-04 Thread Bruno Rocha 
Interesting detail, the mentioned package
https://pypi.python.org/pypi/python-nation/1.0.1 was created and uploaded
by Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI
vulnerabilities or some Infosec experiment.

On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha  wrote:

> Hi,
>
> I just read this on reddit[0], a thread asking if PyPI packages are
> audited and somebody pointed the `python-nation`[1] which is a harmful and
> useless module, installing itself and sending the `/etc/passwd` content to
> external endpoint.
>
> The app receiving the data is hosted at http://python-nation.herokuapp.com
>
> and as the PSF mission [2] says
>
> The mission of the Python Software Foundation is to promote, protect, and
> advance the Python programming language
>
> I wonder if there are some workgroup at PSF to handle this? and not only
> the specific case of `python-nation` which should be deleted and the user
> banned maybe, But also to handle the audit of other packages?
>
>
> [0] https://www.reddit.com/r/Python/comments/697da2/does_pyp
> i_review_code_thats_uploaded/
> [1] https://www.reddit.com/r/Python/comments/697da2/does_pyp
> i_review_code_thats_uploaded/dh4uyf8/
> [2] https://www.python.org/psf/mission/
>
>
> Cheers,
>
> --
>
> *Bruno Rocha - @rochacbruno *
> http://brunorocha.org
>
>


-- 

*Bruno Rocha - @rochacbruno *
http://brunorocha.org
___
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community

[PSF-Community] Dangerous PyPI packages and PSF

2017-05-04 Thread Bruno Rocha 
Hi,

I just read this on reddit[0], a thread asking if PyPI packages are audited
and somebody pointed the `python-nation`[1] which is a harmful and useless
module, installing itself and sending the `/etc/passwd` content to external
endpoint.

The app receiving the data is hosted at http://python-nation.herokuapp.com

and as the PSF mission [2] says

The mission of the Python Software Foundation is to promote, protect, and
advance the Python programming language

I wonder if there are some workgroup at PSF to handle this? and not only
the specific case of `python-nation` which should be deleted and the user
banned maybe, But also to handle the audit of other packages?


[0] https://www.reddit.com/r/Python/comments/697da2/does_
pypi_review_code_thats_uploaded/
[1] https://www.reddit.com/r/Python/comments/697da2/does_
pypi_review_code_thats_uploaded/dh4uyf8/
[2] https://www.python.org/psf/mission/


Cheers,

-- 

*Bruno Rocha - @rochacbruno *
http://brunorocha.org
___
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community

[PSF-Community] Announcement: PSF Members Lunch at PyCon US

2017-05-04 Thread Ewa Jodlowska 
Dear PSF members,

We will host a PSF Members Lunch at PyCon US Portland, OR for those that
are registered for the conference. If you are a new or long-time PSF
member, it would be great to meet you in person.

   - Day/time: Saturday May 20, 2017, 12:40pm local time
   - Location: Oregon Convention Center, Room F150-F151
   - Menu:
  - Salad option for all: Spinach and Curly Endive - strawberries,
  Briar Rose Creamery goat cheese, black pepper honey Regular: Roasted
  Breast of Chicken Roulade - local forest mushroom ragout, white cream
  garlic sauce, garlic chips Portobello Napoleon (GF & LF) - grilled
  portobello mushrooms, eggplant, roasted pepper, tomato coulis, basil oil
  - Special dietary meals will be provided for those that request one
  in the RSVP below.
   - *RSVP by May 10, 2017: **https://goo.gl/forms/ebuLxsNmMSx3ieIQ2
   *
   - Agenda:
  - get to know some of the 2017/18 PSF Board candidates
  - mingling with members

Best regards,

Ewa
Director of Operations
Python Software Foundation
___
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community