I'm not sure what effective package review would look like here. Perhaps we could establish an entity to screen packages on an opt-in basis, but I don't know if we have the resources/people for this. Automated code screening could and probably would miss the python nation example due to the unorthodox use of compressed instructions. Does anyone have any ideas?
-Ryan Birmingham On 4 May 2017 at 20:08, Bruno Rocha <rochacbr...@gmail.com> wrote: > Interesting detail, the mentioned package https://pypi.python. > org/pypi/python-nation/1.0.1 was created and uploaded by > Jacob Kaplan Moss, so I guess this is intended to be a POC, to show PyPI > vulnerabilities or some Infosec experiment. > > On Thu, May 4, 2017 at 8:41 PM, Bruno Rocha <rochacbr...@gmail.com> wrote: > >> Hi, >> >> I just read this on reddit[0], a thread asking if PyPI packages are >> audited and somebody pointed the `python-nation`[1] which is a harmful and >> useless module, installing itself and sending the `/etc/passwd` content to >> external endpoint. >> >> The app receiving the data is hosted at http://python-nation.heroku >> app.com >> >> and as the PSF mission [2] says >> >> The mission of the Python Software Foundation is to promote, protect, and >> advance the Python programming language >> >> I wonder if there are some workgroup at PSF to handle this? and not only >> the specific case of `python-nation` which should be deleted and the user >> banned maybe, But also to handle the audit of other packages? >> >> >> [0] https://www.reddit.com/r/Python/comments/697da2/does_pyp >> i_review_code_thats_uploaded/ >> [1] https://www.reddit.com/r/Python/comments/697da2/does_pyp >> i_review_code_thats_uploaded/dh4uyf8/ >> [2] https://www.python.org/psf/mission/ >> >> >> Cheers, >> >> -- >> >> *Bruno Rocha - @rochacbruno <http://twitter.com/rochacbruno>* >> http://brunorocha.org >> >> > > > -- > > *Bruno Rocha - @rochacbruno <http://twitter.com/rochacbruno>* > http://brunorocha.org > > > _______________________________________________ > PSF-Community mailing list > PSF-Community@python.org > https://mail.python.org/mailman/listinfo/psf-community > >
_______________________________________________ PSF-Community mailing list PSF-Community@python.org https://mail.python.org/mailman/listinfo/psf-community