I woke with a start in what amounted to the middle of the night (I really need to get about three more hours of sleep, but you'll understand why I was awake to write this).
Many years ago, so as to preserve my wrists, I wrote a tool <https://github.com/smontanaro/python-bits/blob/main/src/watch.py> to monitor mouse and keyboard activity. It tells me when to rest. I use it when I have problems, then put it away until it's needed again. I have resurrected it a few times over the years, most recently a month or two ago. Having never been all that fond of how I tracked keyboard and mouse activity, I was happy when I stumbled upon pynput <https://pypi.org/project/pynput/>. "Yay!", I thought. My worries are over. Then extremely early this morning I woke thinking, "Damn, this runs on my computer and it can see my mouse and keyboard activity. How do I know it's not stealing my keystrokes?" Not going back to sleep after that. So, I'm going through the code (and the Xlib package on which it relies) to make myself more comfortable that there are no issues. Note: I am *most certainly not* accusing the pynput author of any mischief. In fact, I suspect there's no problem with the package. It's got a bunch of stars and plenty of forks on GitHub (for what that's worth). I suspect the code has had plenty of eyeballs looking at it. Still, I don't really know how well vetted it might be, so I have no assurances of that. I saw it mentioned somewhere (discuss I think?), checked it out, and thought it would solve my activity tracking in a cross-platform way. (I currently only use an Xorg environment, so while I am looking at the code, I'm not paying attention to the Windows or MacOS bits either.) This got me thinking. If I'm curious about pynput, might other people be as well? What about other packages? I'm actually not worried about Python proper or vulnerabilities which have already been found <https://github.com/pypa/advisory-database>. PyPI currently advertises that it hosts over 373k packages. With that many hosted packages, it is almost certainly a haven for some undetected vulnerabilities. Knowing which packages have been audited — at least in a cursory fashion — could be used as a further criterion to use when deciding which packages to consider using on a project. So, does something already exist (pointers appreciated)? Thx... Skip -- https://mail.python.org/mailman/listinfo/python-list
