On 5/6/22 09:24, Sam Ezeh wrote: > ---------- Forwarded message --------- > From: Sam Ezeh <sam.z.e...@gmail.com> > Date: Fri, 6 May 2022, 15:29 > Subject: Re: Do projects exist to audit PyPI-hosted packages? > To: Skip Montanaro <skip.montan...@gmail.com> > > > I've had similar thoughts in the past. I don't know of anything but I > wonder if repositiories for other languages might have something to deal > with it. > > A related problem is that even if a package is maintained by somebody with > good intentions, the account might be hijacked by a malicious actor and > since PyPi is separate from source control, people might not be able to > find out easily and malware could spread through PyPi.
FWIW, there's talk of mandating MFA or appropriately scoped tokens to upload from a PyPi account to cut down on hijacking chances. As I understand it, a concern that has slowed this is that sometimes a "release" involves a ton of actual package uploads and that could involve considerable manual overhead if a 2FA sequence were required for each one. Meanwhile, individual projects can now require 2FA in order for owners to do anything "administrative". Probably others understand the current state of play better here.... -- https://mail.python.org/mailman/listinfo/python-list
