[sf-lug] Malware on PyPI repository

Rick Moen rick at linuxmafia.com
Sun Dec 5 18:30:55 PST 2021

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> Well Rick I see the danger as the method used which might be extended to
> other platforms than PyPi. 


That'd take a lot of explaining.  I just got through detailing why the
core problem (or rather, limitation) is that PyPI does zero curating,
and so _if_ people are careless enough to trust (and download and
execute) any-old-thing from any-old-person just because they find it on
PyPI, they are likely to shoot at their feet.

> You are always saying that getting the malware downloaded to a machine
> is the weak point of all these threats and they appear to have gotten
> into the repository without problems.

First of all, that's _not_ the thing I'm always saying.

What you're probably thinking of is my frequent point that the only
interesting question about malware is how it gets executed (and, if
necessary, how it escalates privilege enough to do harm).  Not what you
understood me to have said, at all.

And, separately, I just got through explaining that the bad guys "got
into the repository" because PyPI / Software Python Foundation accepts
any Python project from anyone.  On present evidence, they do zero
vetting, only tossing projects / owners who've been found to do evil.

And, to repeat myself yet again, the easy/obvious way to avert these
risks is to lean on distro package maintainers as gatekeepers.  Only at
your peril, and with great caution, and if/when absolutely necessary, 
circumvent the distro package regime to source code from elsewhere --
and then be aware that _you_ must asssume all the duties of being a
gatekeeper, and may shoot at your feet if you fail at those duties.

More information about the sf-lug mailing list