Re: [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI

[Jakub Wilk]

* Victor Stinner , 2017-09-15, 23:08:

Why not just reserving the name but don't provide any download file?


Is is possible at the moment?
I tried "python setup.py register", but all I got was:

Server response (410): Project pre-registration is no longer required or 
supported, so continue directly to uploading files.

--
Jakub Wilk
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] PEP 557: Data Classes

[Mike Miller]

On 2017-09-15 05:08, Michel Desmoulin wrote:

Because given how convenient it is, it will most probably becomes the
default way to write classes in Python. Not just for record.


Yes, would have been great if this was how the original object worked and the 
current barebones object was a base(object) or something like that.  Too late 
however.


Another option was "bag" which is more generic and brief, and might seem to fit 
better, but the discussion went towards record.


-Mike
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI

[Victor Stinner]

An idea for typo squatting would be to compute the Levenshtein
distance with package names of standard library and top 100 most
popular PyPI packages, and require to contact a moderation team if the
name is too close to an existing package. The moderation team will
review the email, but also watch the package during 1 month to check
if everything seems fine.

It requires to have a list of all package names of the standard
library, and maintain an up to date list of popular PyPI package
names.

It also requires to set up a mailing list, and tooling to report the
error message to users, and then give moderators the right to create
the package. I'm not sure that it's easy to implement it.

Victor
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI

[Victor Stinner]

Benjamin Bach and Hanno Böck are running
https://www.pytosquatting.org/ and registered many projects lilke
https://pypi.python.org/pypi/urllib2

"In June 2016, Typosquatting programming language package managers
stated that urllib2 had ~4,000 downloads in 2 weeks. The package name
is now squatted by us (the good guys). We take these findings
seriously."

It seems like we need a solution to prevent that a project removed
because it contains malicious code, can be recreated automatically.

pytosquatting.org projects contain a download file: a tarball with a
setup.py file. This setup.py raises an exception, but also send a HTTP
request, a "pingback", to their server.

Thank you for reserving names of the standard library. But I'm not
sure of the HTTP "pingback" part. It can be on CIs, a restricted
environments, etc.

Why not just reserving the name but don't provide any download file?
With no download file, the user will likely understand his/her error,
no?

Note: I don't think that Benjamin Bach and Hanno Böck are related to
the PSRT nor PyPI administrators.

Victor

2017-09-15 22:28 GMT+02:00 Victor Stinner :
> Hi,
>
> Last week, the National Security Authority of Slovakia contacted the
> Python Security Response Team (PSRT) to report that the Python Package
> Index (PyPI) was hosting malicious packages. Installing these packages
> send user data to a HTTP server, but also install the expected module
> so it was an easy to notice the attack.
>
> Advisory: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
>
> Kudos to them to report the issue!
>
>
> It's not a compromise of the PyPI server nor a third-party project,
> but the "typo squatting" issue which is known since at least June 2016
> (for PyPI). The issue is not specific to Python, npmjs.com or
> rubygems.org are vulnerable to the same issue.
>
> For example, a malicious package used the names "urllib" (no 3) and
> "urlib3" (1 L) instead of "urllib3" (2 L). These packages were
> downloaded by users, so the attack was effective.
>
> More information on typo squatting and Python package security:
> https://python-security.readthedocs.io/packages.html#pypi-typo-squatting
>
> The PRST contacted PyPI administrators and all identified packages
> were taken down, only 1h10 after the PSRT received the email from the
> National Security Authority of Slovakia!
>
>
> The typo squatting issue is known and discussed, but not solution was
> found yet. See for example this warehouse issue:
> https://github.com/pypa/warehouse/issues/2151
>
> It seems like the consensus is that pip is not responsible to detect
> malicious code, it's more the responsability of PyPI.
>
> The problem is to decide how to detect malicious code and/or prevent
> typo squatting on PyPI.
>
>
> The issue has been discussed privately on the PSRT list last week. The
> National Security Authority of Slovakia just published their advisory,
> and a public discussion started on reddit:
> https://news.ycombinator.com/item?id=15256121
>
> I consider that it's now time to find a solution on the public
> python-dev mailing list.
>
>
> Let's try to find a solution!
>
> Can we learn something from the Update Framework (TUF)?
>
> How does Javascript, Ruby, Perl and other programming languages deal
> with these security issues on their package manager?
>
>
> See also my other notes on Python security and the list of known
> CPython vulnerabilities:
> https://python-security.readthedocs.io/
>
> Victor
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI

[Victor Stinner]

Hi,

Last week, the National Security Authority of Slovakia contacted the
Python Security Response Team (PSRT) to report that the Python Package
Index (PyPI) was hosting malicious packages. Installing these packages
send user data to a HTTP server, but also install the expected module
so it was an easy to notice the attack.

Advisory: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Kudos to them to report the issue!


It's not a compromise of the PyPI server nor a third-party project,
but the "typo squatting" issue which is known since at least June 2016
(for PyPI). The issue is not specific to Python, npmjs.com or
rubygems.org are vulnerable to the same issue.

For example, a malicious package used the names "urllib" (no 3) and
"urlib3" (1 L) instead of "urllib3" (2 L). These packages were
downloaded by users, so the attack was effective.

More information on typo squatting and Python package security:
https://python-security.readthedocs.io/packages.html#pypi-typo-squatting

The PRST contacted PyPI administrators and all identified packages
were taken down, only 1h10 after the PSRT received the email from the
National Security Authority of Slovakia!


The typo squatting issue is known and discussed, but not solution was
found yet. See for example this warehouse issue:
https://github.com/pypa/warehouse/issues/2151

It seems like the consensus is that pip is not responsible to detect
malicious code, it's more the responsability of PyPI.

The problem is to decide how to detect malicious code and/or prevent
typo squatting on PyPI.


The issue has been discussed privately on the PSRT list last week. The
National Security Authority of Slovakia just published their advisory,
and a public discussion started on reddit:
https://news.ycombinator.com/item?id=15256121

I consider that it's now time to find a solution on the public
python-dev mailing list.


Let's try to find a solution!

Can we learn something from the Update Framework (TUF)?

How does Javascript, Ruby, Perl and other programming languages deal
with these security issues on their package manager?


See also my other notes on Python security and the list of known
CPython vulnerabilities:
https://python-security.readthedocs.io/

Victor
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] Summary of Python tracker Issues

[Python tracker]

ACTIVITY SUMMARY (2017-09-08 - 2017-09-15)
Python tracker at https://bugs.python.org/

To view or respond to any of the issues listed below, click on the issue.
Do NOT respond to this message.

Issues counts and deltas:
  open6171 (+22)
  closed 37065 (+68)
  total  43236 (+90)

Open issues with patches: 2349 


Issues opened (59)
==

#28411: Eliminate PyInterpreterState.modules.
https://bugs.python.org/issue28411  reopened by eric.snow

#31370: Remove support for threads-less builds
https://bugs.python.org/issue31370  reopened by Arfrever

#31398: TypeError: gdbm key must be string, not unicode
https://bugs.python.org/issue31398  opened by sam-s

#31399: Let OpenSSL verify hostname and IP address
https://bugs.python.org/issue31399  opened by christian.heimes

#31404: undefined behavior and crashes in case of a bad sys.modules
https://bugs.python.org/issue31404  opened by Oren Milman

#31405: shutil.which doesn't find files without PATHEXT extension on W
https://bugs.python.org/issue31405  opened by rmccampbell7

#31410: int.__repr__() is slower than repr()
https://bugs.python.org/issue31410  opened by serhiy.storchaka

#31412: wave.open does not accept PathLike objects
https://bugs.python.org/issue31412  opened by mscuthbert

#31414: IDLE: Entry tests should delete before insert.
https://bugs.python.org/issue31414  opened by terry.reedy

#31415: Add -X option to show import time
https://bugs.python.org/issue31415  opened by inada.naoki

#31419: Can not install python3.6.2 due to Error 0x80070643: Failed to
https://bugs.python.org/issue31419  opened by fernado

#31422: tkinter.messagebox and tkinter.filedialog don't show default b
https://bugs.python.org/issue31422  opened by jcrmatos

#31423: Error while building PDF documentation
https://bugs.python.org/issue31423  opened by mdk

#31424: test_socket hangs on x86 Gentoo Installed with X 3.x
https://bugs.python.org/issue31424  opened by haypo

#31425: Expose AF_QIPCRTR in socket module
https://bugs.python.org/issue31425  opened by Bjorn Andersson

#31426: [3.5] crash in gen_traverse(): gi_frame.ob_type=NULL, called b
https://bugs.python.org/issue31426  opened by iwienand

#31427: Proposed addition to Windows FAQ
https://bugs.python.org/issue31427  opened by Stephan Houben

#31429: TLS cipher suite compile time option for downstream
https://bugs.python.org/issue31429  opened by christian.heimes

#31430: [Windows][2.7] Python 2.7 compilation fails on mt.exe crashing
https://bugs.python.org/issue31430  opened by haypo

#31431: SSL: check_hostname should imply CERT_REQUIRED
https://bugs.python.org/issue31431  opened by christian.heimes

#31432: Documention for CERT_OPTIONAL is misleading
https://bugs.python.org/issue31432  opened by christian.heimes

#31436: test_socket.SendfileUsingSendfileTest.testWithTimeoutTriggered
https://bugs.python.org/issue31436  opened by bmoyles

#31440: wrong default module search path in help message
https://bugs.python.org/issue31440  opened by xiang.zhang

#31441: Descriptor example in documentation is confusing, possibly wro
https://bugs.python.org/issue31441  opened by Benjamin Wohlwend

#31442: assertion failures on Windows in Python/traceback.c in case of
https://bugs.python.org/issue31442  opened by Oren Milman

#31443: Possibly out of date C extension documentation
https://bugs.python.org/issue31443  opened by Romuald

#31445: Index out of range in get of message.EmailMessage.get()
https://bugs.python.org/issue31445  opened by Michala

#31446: _winapi.CreateProcess (used by subprocess) is not thread-safe
https://bugs.python.org/issue31446  opened by evan_

#31447: proc communicate not exiting on python subprocess timeout usin
https://bugs.python.org/issue31447  opened by Leonardo Francalanci

#31449: Potential DoS Attack when Parsing Email with Huge Number of MI
https://bugs.python.org/issue31449  opened by ckossmann

#31450: Subprocess exceptions re-raised in parent process do not have 
https://bugs.python.org/issue31450  opened by msekletar

#31451: PYTHONHOME is not absolutized
https://bugs.python.org/issue31451  opened by xiang.zhang

#31452: asyncio.gather does not cancel tasks if one fails
https://bugs.python.org/issue31452  opened by Andrew Lytvyn

#31453: Debian Sid/Buster: Cannot enable TLS 1.0/1.1 with PROTOCOL_TLS
https://bugs.python.org/issue31453  opened by adrianv

#31454: Include "import as" in tutorial
https://bugs.python.org/issue31454  opened by svenyonson

#31455: ElementTree.XMLParser() mishandles exceptions
https://bugs.python.org/issue31455  opened by scoder

#31456: SimpleCookie fails to parse any cookie if an entry has whitesp
https://bugs.python.org/issue31456  opened by Adam Davis

#31458: Broken link to Misc/NEWS in What's New page
https://bugs.python.org/issue31458  opened by Mariatta

#31459: IDLE: Remane Class Browser as Module Browser
https://bugs.python.org/issue31459  opened by terry.reedy

#31460: IDLE: Revise ModuleBrowser API
https://bugs.python.org/issue31460  

Re: [Python-Dev] PEP 557: Data Classes

[Michel Desmoulin]

Le 14/09/2017 à 19:24, Mike Miller a écrit :
> 
> On 2017-09-12 21:05, Guido van Rossum wrote:
>> It's ironic that some people dislike "data classes" because these are
>> regular classes, not just for data, while others are proposing
>> alternative names that emphasize the data container aspect. So "data
>> classes" splits the difference, by referring to both data and classes.
> 
> True that these data-classes will be a superset of a traditional
> record.  But, we already have objects and inheritance for those use
> cases.  The data-class is meant to be used primarily like a record, so
> why not name it that way?

Because given how convenient it is, it will most probably becomes the
default way to write classes in Python. Not just for record.

Everybody end up wishing for a less verbose way to write day to day
classes after a while.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com