Re: [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
* Victor Stinner, 2017-09-15, 23:08: Why not just reserving the name but don't provide any download file? Is is possible at the moment? I tried "python setup.py register", but all I got was: Server response (410): Project pre-registration is no longer required or supported, so continue directly to uploading files. -- Jakub Wilk ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 557: Data Classes
On 2017-09-15 05:08, Michel Desmoulin wrote: Because given how convenient it is, it will most probably becomes the default way to write classes in Python. Not just for record. Yes, would have been great if this was how the original object worked and the current barebones object was a base(object) or something like that. Too late however. Another option was "bag" which is more generic and brief, and might seem to fit better, but the discussion went towards record. -Mike ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
An idea for typo squatting would be to compute the Levenshtein distance with package names of standard library and top 100 most popular PyPI packages, and require to contact a moderation team if the name is too close to an existing package. The moderation team will review the email, but also watch the package during 1 month to check if everything seems fine. It requires to have a list of all package names of the standard library, and maintain an up to date list of popular PyPI package names. It also requires to set up a mailing list, and tooling to report the error message to users, and then give moderators the right to create the package. I'm not sure that it's easy to implement it. Victor ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
Benjamin Bach and Hanno Böck are running https://www.pytosquatting.org/ and registered many projects lilke https://pypi.python.org/pypi/urllib2 "In June 2016, Typosquatting programming language package managers stated that urllib2 had ~4,000 downloads in 2 weeks. The package name is now squatted by us (the good guys). We take these findings seriously." It seems like we need a solution to prevent that a project removed because it contains malicious code, can be recreated automatically. pytosquatting.org projects contain a download file: a tarball with a setup.py file. This setup.py raises an exception, but also send a HTTP request, a "pingback", to their server. Thank you for reserving names of the standard library. But I'm not sure of the HTTP "pingback" part. It can be on CIs, a restricted environments, etc. Why not just reserving the name but don't provide any download file? With no download file, the user will likely understand his/her error, no? Note: I don't think that Benjamin Bach and Hanno Böck are related to the PSRT nor PyPI administrators. Victor 2017-09-15 22:28 GMT+02:00 Victor Stinner: > Hi, > > Last week, the National Security Authority of Slovakia contacted the > Python Security Response Team (PSRT) to report that the Python Package > Index (PyPI) was hosting malicious packages. Installing these packages > send user data to a HTTP server, but also install the expected module > so it was an easy to notice the attack. > > Advisory: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/ > > Kudos to them to report the issue! > > > It's not a compromise of the PyPI server nor a third-party project, > but the "typo squatting" issue which is known since at least June 2016 > (for PyPI). The issue is not specific to Python, npmjs.com or > rubygems.org are vulnerable to the same issue. > > For example, a malicious package used the names "urllib" (no 3) and > "urlib3" (1 L) instead of "urllib3" (2 L). These packages were > downloaded by users, so the attack was effective. > > More information on typo squatting and Python package security: > https://python-security.readthedocs.io/packages.html#pypi-typo-squatting > > The PRST contacted PyPI administrators and all identified packages > were taken down, only 1h10 after the PSRT received the email from the > National Security Authority of Slovakia! > > > The typo squatting issue is known and discussed, but not solution was > found yet. See for example this warehouse issue: > https://github.com/pypa/warehouse/issues/2151 > > It seems like the consensus is that pip is not responsible to detect > malicious code, it's more the responsability of PyPI. > > The problem is to decide how to detect malicious code and/or prevent > typo squatting on PyPI. > > > The issue has been discussed privately on the PSRT list last week. The > National Security Authority of Slovakia just published their advisory, > and a public discussion started on reddit: > https://news.ycombinator.com/item?id=15256121 > > I consider that it's now time to find a solution on the public > python-dev mailing list. > > > Let's try to find a solution! > > Can we learn something from the Update Framework (TUF)? > > How does Javascript, Ruby, Perl and other programming languages deal > with these security issues on their package manager? > > > See also my other notes on Python security and the list of known > CPython vulnerabilities: > https://python-security.readthedocs.io/ > > Victor ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI
Hi, Last week, the National Security Authority of Slovakia contacted the Python Security Response Team (PSRT) to report that the Python Package Index (PyPI) was hosting malicious packages. Installing these packages send user data to a HTTP server, but also install the expected module so it was an easy to notice the attack. Advisory: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/ Kudos to them to report the issue! It's not a compromise of the PyPI server nor a third-party project, but the "typo squatting" issue which is known since at least June 2016 (for PyPI). The issue is not specific to Python, npmjs.com or rubygems.org are vulnerable to the same issue. For example, a malicious package used the names "urllib" (no 3) and "urlib3" (1 L) instead of "urllib3" (2 L). These packages were downloaded by users, so the attack was effective. More information on typo squatting and Python package security: https://python-security.readthedocs.io/packages.html#pypi-typo-squatting The PRST contacted PyPI administrators and all identified packages were taken down, only 1h10 after the PSRT received the email from the National Security Authority of Slovakia! The typo squatting issue is known and discussed, but not solution was found yet. See for example this warehouse issue: https://github.com/pypa/warehouse/issues/2151 It seems like the consensus is that pip is not responsible to detect malicious code, it's more the responsability of PyPI. The problem is to decide how to detect malicious code and/or prevent typo squatting on PyPI. The issue has been discussed privately on the PSRT list last week. The National Security Authority of Slovakia just published their advisory, and a public discussion started on reddit: https://news.ycombinator.com/item?id=15256121 I consider that it's now time to find a solution on the public python-dev mailing list. Let's try to find a solution! Can we learn something from the Update Framework (TUF)? How does Javascript, Ruby, Perl and other programming languages deal with these security issues on their package manager? See also my other notes on Python security and the list of known CPython vulnerabilities: https://python-security.readthedocs.io/ Victor ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Summary of Python tracker Issues
ACTIVITY SUMMARY (2017-09-08 - 2017-09-15) Python tracker at https://bugs.python.org/ To view or respond to any of the issues listed below, click on the issue. Do NOT respond to this message. Issues counts and deltas: open6171 (+22) closed 37065 (+68) total 43236 (+90) Open issues with patches: 2349 Issues opened (59) == #28411: Eliminate PyInterpreterState.modules. https://bugs.python.org/issue28411 reopened by eric.snow #31370: Remove support for threads-less builds https://bugs.python.org/issue31370 reopened by Arfrever #31398: TypeError: gdbm key must be string, not unicode https://bugs.python.org/issue31398 opened by sam-s #31399: Let OpenSSL verify hostname and IP address https://bugs.python.org/issue31399 opened by christian.heimes #31404: undefined behavior and crashes in case of a bad sys.modules https://bugs.python.org/issue31404 opened by Oren Milman #31405: shutil.which doesn't find files without PATHEXT extension on W https://bugs.python.org/issue31405 opened by rmccampbell7 #31410: int.__repr__() is slower than repr() https://bugs.python.org/issue31410 opened by serhiy.storchaka #31412: wave.open does not accept PathLike objects https://bugs.python.org/issue31412 opened by mscuthbert #31414: IDLE: Entry tests should delete before insert. https://bugs.python.org/issue31414 opened by terry.reedy #31415: Add -X option to show import time https://bugs.python.org/issue31415 opened by inada.naoki #31419: Can not install python3.6.2 due to Error 0x80070643: Failed to https://bugs.python.org/issue31419 opened by fernado #31422: tkinter.messagebox and tkinter.filedialog don't show default b https://bugs.python.org/issue31422 opened by jcrmatos #31423: Error while building PDF documentation https://bugs.python.org/issue31423 opened by mdk #31424: test_socket hangs on x86 Gentoo Installed with X 3.x https://bugs.python.org/issue31424 opened by haypo #31425: Expose AF_QIPCRTR in socket module https://bugs.python.org/issue31425 opened by Bjorn Andersson #31426: [3.5] crash in gen_traverse(): gi_frame.ob_type=NULL, called b https://bugs.python.org/issue31426 opened by iwienand #31427: Proposed addition to Windows FAQ https://bugs.python.org/issue31427 opened by Stephan Houben #31429: TLS cipher suite compile time option for downstream https://bugs.python.org/issue31429 opened by christian.heimes #31430: [Windows][2.7] Python 2.7 compilation fails on mt.exe crashing https://bugs.python.org/issue31430 opened by haypo #31431: SSL: check_hostname should imply CERT_REQUIRED https://bugs.python.org/issue31431 opened by christian.heimes #31432: Documention for CERT_OPTIONAL is misleading https://bugs.python.org/issue31432 opened by christian.heimes #31436: test_socket.SendfileUsingSendfileTest.testWithTimeoutTriggered https://bugs.python.org/issue31436 opened by bmoyles #31440: wrong default module search path in help message https://bugs.python.org/issue31440 opened by xiang.zhang #31441: Descriptor example in documentation is confusing, possibly wro https://bugs.python.org/issue31441 opened by Benjamin Wohlwend #31442: assertion failures on Windows in Python/traceback.c in case of https://bugs.python.org/issue31442 opened by Oren Milman #31443: Possibly out of date C extension documentation https://bugs.python.org/issue31443 opened by Romuald #31445: Index out of range in get of message.EmailMessage.get() https://bugs.python.org/issue31445 opened by Michala #31446: _winapi.CreateProcess (used by subprocess) is not thread-safe https://bugs.python.org/issue31446 opened by evan_ #31447: proc communicate not exiting on python subprocess timeout usin https://bugs.python.org/issue31447 opened by Leonardo Francalanci #31449: Potential DoS Attack when Parsing Email with Huge Number of MI https://bugs.python.org/issue31449 opened by ckossmann #31450: Subprocess exceptions re-raised in parent process do not have https://bugs.python.org/issue31450 opened by msekletar #31451: PYTHONHOME is not absolutized https://bugs.python.org/issue31451 opened by xiang.zhang #31452: asyncio.gather does not cancel tasks if one fails https://bugs.python.org/issue31452 opened by Andrew Lytvyn #31453: Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS https://bugs.python.org/issue31453 opened by adrianv #31454: Include "import as" in tutorial https://bugs.python.org/issue31454 opened by svenyonson #31455: ElementTree.XMLParser() mishandles exceptions https://bugs.python.org/issue31455 opened by scoder #31456: SimpleCookie fails to parse any cookie if an entry has whitesp https://bugs.python.org/issue31456 opened by Adam Davis #31458: Broken link to Misc/NEWS in What's New page https://bugs.python.org/issue31458 opened by Mariatta #31459: IDLE: Remane Class Browser as Module Browser https://bugs.python.org/issue31459 opened by terry.reedy #31460: IDLE: Revise ModuleBrowser API https://bugs.python.org/issue31460
Re: [Python-Dev] PEP 557: Data Classes
Le 14/09/2017 à 19:24, Mike Miller a écrit : > > On 2017-09-12 21:05, Guido van Rossum wrote: >> It's ironic that some people dislike "data classes" because these are >> regular classes, not just for data, while others are proposing >> alternative names that emphasize the data container aspect. So "data >> classes" splits the difference, by referring to both data and classes. > > True that these data-classes will be a superset of a traditional > record. But, we already have objects and inheritance for those use > cases. The data-class is meant to be used primarily like a record, so > why not name it that way? Because given how convenient it is, it will most probably becomes the default way to write classes in Python. Not just for record. Everybody end up wishing for a less verbose way to write day to day classes after a while. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com