[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] PEP 594: Removing dead batteries from the standard library

Christian Heimes writes:

 > It's all open source. It's up to the Python community to adopt
 > packages and provide them on PyPI.
 > Python core will not maintain and distribute the packages. I'll
 > merely provide a repository with packages to help kick-starting the
 > process.

This looks to me like an opening to a special class of supply chain
attacks.  I realize that PyPI is not yet particularly robust to such
attacks, and we have seen "similar name" attacks (malware uploaded
under a name similar to a popular package).  ISTM that this approach
to implementing the PEP will enable "identical name" attacks.  (By
download count, stdlib packages are as popular as Python. :-)

It now appears that there's been substantial pushback against removing
packages that could be characterized as "obsolete and superseded but
still in use", so this may not be a sufficient great risk to be worth
addressing.  I guess this post is already a warning to those who are
taking care of the "similar name" malware that this class of attacks
will be opened up.

One thing we *could* do that would require moderate effort would be to
put them up on PyPI ourselves, and require that would-be maintainers
be given a (light) vetting before handing over the keys.  (Maybe just
require that they be subscribers to the Dead Parrot SIG? :-)