The main thing for you to do is to double-check all the names you type
in *before* you install anything. Most of the "security" issues come
down to people trying to catch misspellings ("typo-squatting"), so if
you've spelled everything correctly, you'll get the packages you expected.
If you don't even trust *those* packages, or their dependencies, you're
signing up for a whole lot more work (reviewing code, manually creating
a private mirror, curation, etc.). Ultimately it will be up to you to
decide who you trust and how much you trust them.
I believe the infrastructure itself to be trustworthy, and most of the
people publishing popular packages are trustworthy. But ultimately
you're on your own right now for detecting impersonation.
Cheers,
Steve
On 9/17/2021 5:13 PM, Sonic Emitter3000 wrote:
Hello, hope you're doing well. I greatly appreciate the effort of you
people to make open source projects like you do, but I must ask.
I have heard that security is quite lax when installing modules using
the most popular sites for Python modules. Would you know of how I would
protect myself more from potentially malicious fakes of popular Python
modules?
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/archives/list/distutils-sig@python.org/message/MXFS2XS2QIT2NO2YIGAKYE43JQLB3PQV/
