> On May 4, 2017, at 4:41 PM, Bruno Rocha wrote:
>
> Hi,
>
> I just read this on reddit[0], a thread asking if PyPI packages are audited
> and somebody pointed the `python-nation`[1] which is a harmful and useless
> module, installing itself and sending the `/etc/passwd` content to external
This is not a solvable problem. IMNSHO We should never attempt to implement
pre screening of packages.
It is a good post-package-upload task for someone to try and do as a
research project.
Automated code scanning can only find already known things and similar
signatures (at which point it can ha
I'm not sure what effective package review would look like here. Perhaps we
could establish an entity to screen packages on an opt-in basis, but I
don't know if we have the resources/people for this. Automated code
screening could and probably would miss the python nation example due to
the unortho
That is a great observation Bruno!
-Jackie
On Thu, May 4, 2017 at 8:08 PM, Bruno Rocha wrote:
> Interesting detail, the mentioned package https://pypi.python.
> org/pypi/python-nation/1.0.1 was created and uploaded by
> Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI
>
Interesting detail, the mentioned package
https://pypi.python.org/pypi/python-nation/1.0.1 was created and uploaded
by Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI
vulnerabilities or some Infosec experiment.
On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha wrote:
> Hi,
>
>
Hi,
I just read this on reddit[0], a thread asking if PyPI packages are audited
and somebody pointed the `python-nation`[1] which is a harmful and useless
module, installing itself and sending the `/etc/passwd` content to external
endpoint.
The app receiving the data is hosted at http://python-na
Dear PSF members,
We will host a PSF Members Lunch at PyCon US Portland, OR for those that
are registered for the conference. If you are a new or long-time PSF
member, it would be great to meet you in person.
- Day/time: Saturday May 20, 2017, 12:40pm local time
- Location: Oregon Conventio