[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] PEP 594: Removing dead batteries from the standard library

This vector exists today for all new stdlib modules: once added, any
existing dependency could include that name to cater it to be imported on
prior python versions.


On Wed, 22 May 2019, 17:03 Stephen J. Turnbull, <
turnbull.stephen.fw at> wrote:

> Christian Heimes writes:
>  > It's all open source. It's up to the Python community to adopt
>  > packages and provide them on PyPI.
>  >
>  > Python core will not maintain and distribute the packages. I'll
>  > merely provide a repository with packages to help kick-starting the
>  > process.
> This looks to me like an opening to a special class of supply chain
> attacks.  I realize that PyPI is not yet particularly robust to such
> attacks, and we have seen "similar name" attacks (malware uploaded
> under a name similar to a popular package).  ISTM that this approach
> to implementing the PEP will enable "identical name" attacks.  (By
> download count, stdlib packages are as popular as Python. :-)
> It now appears that there's been substantial pushback against removing
> packages that could be characterized as "obsolete and superseded but
> still in use", so this may not be a sufficient great risk to be worth
> addressing.  I guess this post is already a warning to those who are
> taking care of the "similar name" malware that this class of attacks
> will be opened up.
> One thing we *could* do that would require moderate effort would be to
> put them up on PyPI ourselves, and require that would-be maintainers
> be given a (light) vetting before handing over the keys.  (Maybe just
> require that they be subscribers to the Dead Parrot SIG? :-)
> Steve
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at
> Unsubscribe:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>