[Python-Dev] PEP 594: Removing dead batteries from the standard library (original) (raw)
Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Wed May 22 00:59:59 EDT 2019
- Previous message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Next message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Christian Heimes writes:
It's all open source. It's up to the Python community to adopt packages and provide them on PyPI.
Python core will not maintain and distribute the packages. I'll merely provide a repository with packages to help kick-starting the process.
This looks to me like an opening to a special class of supply chain attacks. I realize that PyPI is not yet particularly robust to such attacks, and we have seen "similar name" attacks (malware uploaded under a name similar to a popular package). ISTM that this approach to implementing the PEP will enable "identical name" attacks. (By download count, stdlib packages are as popular as Python. :-)
It now appears that there's been substantial pushback against removing packages that could be characterized as "obsolete and superseded but still in use", so this may not be a sufficient great risk to be worth addressing. I guess this post is already a warning to those who are taking care of the "similar name" malware that this class of attacks will be opened up.
One thing we could do that would require moderate effort would be to put them up on PyPI ourselves, and require that would-be maintainers be given a (light) vetting before handing over the keys. (Maybe just require that they be subscribers to the Dead Parrot SIG? :-)
Steve
- Previous message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Next message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]