I forgot to mention that there is work/discussion about supporting code signing, in PEPs 458 and 480. But it's a complicated topic, and code signing is not the silver bullet that some commentators seem to think it is.
On Fri, Feb 8, 2019, at 12:10 PM, Thomas Kluyver wrote: > On Thu, Feb 7, 2019, at 11:55 PM, Prateek Mohta wrote: >> I wanted to check if the packages available on Pypi.org are scanned >> for any security vulnerabilities or not, can you please confirm.> > As far as I know, they are not. > >> My concern is how do you control if someone uploads a malicious code >> on Github> > The only real control that PyPI implements is that once someone claims > a name, they (or other people they designate) control what code goes > under that name. So if you 'pip install django', you can trust that > you're getting the package uploaded by the maintainers of the official > Django project.> > New names can be claimed by anyone, including people who may have > malicious intent. Sometimes people have uploaded malicious packages > with names similar to popular packages, in the hope that people will > make a typo and install the malicious code. These are removed when > someone notices them (and some obvious names are now blocked), but > there's no guarantee that PyPI is free of malicious packages.> > In summary: PyPI is infrastructure to distribute Python packages. It > doesn't try to answer the question "is this safe to install?"
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/3XV3ZZTEAJAQOIIVWFFAGHKASJHJNSRN/