#CONDA and #pip (at least the “wheels” part of it) are essentially “binary distros”: they focus on distributing pre-built binaries without concern on how they were built, nor whether they can actually be built from source. Without a conscious effort to require reproducible builds so that anyone can independently verify binaries, these tools are doomed to be not only unsafe but also opaque—and there are to date no signs of CONDA and #PyPI /pip moving in that direction.

Juan Luis
6 days ago

Published my first PyPI package using Trusted Publishers 🥳

#python #pypi #OpenSource

Screenshot of progress bar showing upload of a package using PyPI

📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #46/2023 is out! It includes the following and much more:

➝ 🔓 🇯🇵 #Toyota confirms breach after Medusa #ransomware threatens to leak data
➝ 🇺🇸 😂 Ransomware gang files #SEC complaint over victim’s undisclosed #breach
➝ 🔓 🪶 Attackers claim Plume Design, Inc data breach
➝ 🇺🇸 💰 #ICBC paid ransom after hack that disrupted markets, #cybercriminals say
➝ 🔓 #Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party
➝ 🔓 ✈️ Hackers swipe, damage from attack is global
➝ 🇷🇺 🇺🇦 Russian #CyberEspionage Group Deploys #LitterDrifter USB #Worm in Targeted Attacks
➝ 🇮🇱 🇺🇸 Israeli Man Who Made $5M From Hacking Scheme Sentenced to Prison in US
➝ 🇫🇮 ⚖️ Alleged Extortioner of Psychotherapy Patients Faces Trial
➝ 🇺🇸 💸 #LockBit ransomware exploits #CitrixBleed in attacks, 10K servers exposed
➝ 🇺🇸 ⚖️ #IPStorm botnet with 23,000 proxies for malicious traffic dismantled
➝ 👶🏻 🧨 Teens with “digital bazookas” are winning the ransomware war, researcher laments
➝ 💸 #Ethereum feature abused to steal $60 million from 99K victims
➝ 🇩🇰 🇷🇺 #Denmark Hit With Largest #Cyberattack on Record
➝ 🇨🇳 🇰🇭 Chinese Hackers Launch Covert #Espionage Attacks on 24 Cambodian Organizations
➝ 🇲🇾 Major Phishing-as-a-Service Syndicate '#BulletProofLink' Dismantled by Malaysian Authorities
➝ 🇪🇺 🥳 EU Parliament committee rejects mass scanning of private and encrypted communications
➝ 🩹 #ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
➝ 🦠 🐍 27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts
🇻🇳 🇮🇳 Vietnamese Hackers Using New #Delphi-Powered #Malware to Target Indian Marketers
➝ 🔐 #Google Adds #Passkey Support to New Titan Security Key
➝ 🐛 Zero-Day Flaw in #Zimbra Email Software Exploited by Four Hacker Groups
➝ 🩹 #SAP Patches Critical Vulnerability in Business One Product
➝ 🐛 New #Reptar CPU flaw impacts Intel desktop and server systems
➝ 🐛 New #CacheWarp AMD #CPU attack lets hackers gain root in Linux VMs

📚 This week's recommended reading is: "Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World" by @marcusjcarey and Jennifer Jin

Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️

ricardo :mastodon:
3 weeks ago

27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts ⚠️

Scripter :verified_flashing:
3 weeks ago

27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts #Python #PyPI

Sam Stepanyan :verified: 🐘
3 weeks ago

#PyPi 27 Malicious Python PyPI Packages with Thousands of Downloads Found Targeting IT Experts. The malicious packages include: pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool:

3 weeks ago

「IT専門家を狙った数千ダウンロードの悪意のある #PyPI パッケージ27個が見つかる 」: The Hacker News

「人気のある正規の #Python ライブラリを装った 27 のパッケージが数千のダウンロードを集めたと述べた。 ダウンロードの大部分は、米国、中国、フランス、香港、ドイツ、ロシア、アイルランド、シンガポール、英国、日本からのものです。 」

#prattohome #TheHackerNews

3 weeks ago

Among the deceptive packages were named pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, with the latter being planted on May 13, 2023.

#Cybersecurity #Python #Developers #Malware #PyPI

#Linux users can no longer feel confident that they will not get unwanted garbage on their system when even package managers like #PyPI are contaminated. Destruction is increasing in all areas. Honestly, I don't understand what drives these disgusting creatures to ruin everything. How can you get excited about that? This doesn't just mean crackers, but also all those who wear ties, who also vehemently defend their actions and present them as a blessing for everyone.

Längst können sich #Linux Nutzer nicht mehr in Sicherheit wiegen, sich keinen unerwünschten Müll auf ihrem System einzufangen, wenn selbst Paketverwaltungen wie #PyPI verseucht sind. In allen Bereichen nimmt die Zerstörung zu. Ehrlich, ich kapiere nicht, was diese widerwärtigen Kreaturen dazu treibt, alles kaputtzumachen. Wie kann man sich daran nur aufgeilen? Damit sind nicht nur Cracker gemeint, sondern auch alle Schlipsträger, die ihr Handeln zudem vehement verteidigen und als Segen für alle darstellen.

4 weeks ago

🐍 Developers can’t seem to stop exposing credentials in publicly accessible code | @arstechnica

"Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language"

#Python #PyPI #Cybersecurity

IT News
4 weeks ago

Developers can’t seem to stop exposing credentials in publicly accessible code - Enlarge (credit: Victor De Schwanberg/Science Photo Library via Getty I... - #coderepositories #credentials #passwords #security #biz#pypi

Tech news from Canada
4 weeks ago

Ars Technica: Developers can’t seem to stop exposing credentials in publicly accessible code #Tech #arstechnica #IT #Technology #coderepositories #credentials #passwords #Security #Biz&IT #pypi

Chris Carr
4 weeks ago

Very nice! Way to go PyPI and Open Technology Fund. Seems like few significant issues were found in the audit of PyPI’s code base & infrastructure
#python #opensource #pypi #security

1 month ago

It has been more than 6 months since my last report of a malicious package on #PyPI, and I started to think about retiring the Package Observatory Club, when I got another true positive:

mathz (or "SPY bot") was rudimentary remote control software that with keylogging, screenshots and command execution capabilities. It communicates via telegram. Comments were in Uzbek, at least according to Google Translate.

It was removed less than 3 minutes after my report - great job!

#infosec #python

1 month ago

What has 3,938 total unique secrets across all projects?

This is not a joke.

Florian Haas
1 month ago

How do you personally pronounce #PyPI?

(Boosts OK. Also, this is *not* a question about the "correct" pronunciation.)

IoT is the grey goo
1 month ago


This is in the notorious PyPI, no?

#Malware reports should make a distinction between repos that are thoroughly curated and those that are not. #PyPI is know to be very risky; having this malware in, say, Debian or Fedora repos would be a much more serious issue.

1 month ago

🐍 Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI

#Python #PyPI #Malware #Cybersecurity

1 month ago

New blog post: Diving into PyPI package name squatting:

I always wanted to find time to dive into the subject, and today's news about yet another malware campaign on PyPI motivated me to do so.

Special thanks to @sethmlarson for providing the dataset.

#pypi #python

Stephen McMaster
1 month ago

Yet another software supply chain vulnerability. Last week, I highlighted issues with NuGet packages, this week - PyPi (Python Package Index), as reported by HackerNews, has packages infected with #Blazestealer
#python #pypi #vulnerability - I feel a blog brewing 😀

PyPi Packages are infected with the BlazeStealer Virus
Kevin Bowen :xfce:
1 month ago

Finally got all of my non-google #2FA off of Google Authenticator & set up on #KeyPass #KeyPassXC

I had been putting it off out of fear that it was going to be painful & cumbersome.

For the websites/apps that I am using, I was pleasantly surprised that most of them seem to have their shit together (e.g. #pypi #protonmail #digitalocean #heroku etc.)

I can check one thing off of my todo list this week! Thanks for playing nice with your UI/UX #security

1 month ago

「開発者は気をつけてください: #PyPI#Python #パッケージ#BlazeStealer #マルウェア が発見されました 」: The Hacker News


2023 年 1 月に開始されたこのキャンペーンには、Pyobftoexe、Pyobfusfile、Pyobfexecute、Pyobfpremium、Pyobflite、Pyobfadvance、Pyobfuse、および pyobfgood という名前の合計 8 つのパッケージが含まれており、最後のパッケージは 10 月に公開されました。 」

#prattohome #TheHackerNews

Matthew Martin ☑ ✅📛
1 month ago

@offby1 Or ask for commit rights & #pypi package rights.

pypi's own rules on what constitutes an abandoned package and #PEP541 may have some norms to guide you

(That is about asking pypi to let you take it over, but I suppose you could use similar rules to justify a fork & rename)

1 month ago

#NeuroMastodon #ephys #spikesorting

SpikeInterface v0.99.0 has been released on #PyPi!

Just run this to upgrade your installation:

>>> pip install --upgrade spikeinterface

Check out the release notes here:

Anyone else seeing timeouts to with #pip?

#python #dev

1 month ago

How about some #npm #malware to start your day? Along with the #pypi campaign we have been reporting on, we have also identified a large number of #javascript packages deploying a reverse shell.

#opensource #cybersecurity #infosec #npmjs #nodejs #supplychain

1 month ago

We continue to see #malware #python packages published to #pypi. Over the last few days we've been tracking a series of #software packages purporting to help with internationalization.

We're also tracking several other campaigns in other ecosystems. More on this to follow.

#opensource #pythonprogramming #cybersecurity #supplychain

Brett Cannon
1 month ago

Trusted publishing on #PyPI is great!

Not worrying about API tokens is very nice (I used to create a temporary token to upload via `twine`)! Now a release is a 3 step process:

1. Bump version (and I'm using CalVer for everything I push to PyPI, so that's easy to figure out)
2. Run the release workflow (example:
3. Create a GitHub release

I plan to automate away step 1 via PDM or Hatch. 😁 And I can automate drafting GH releases.

I sat down with the awesome @mkennedy last month for a fun @talkpython #podcast conversation.

Check it out here:

#Python #PyPI #Security

Françoise Conil
2 months ago

I am surprised by the URL displayed on PyPI for the YAPF project :

- "url" is displayed instead of "Home",
- no documentation or issue URL is displayed

I thought it could be due to the quotes but the changelog URL is displayed.

#Python #Packaging #PyPI

Total Release count on @pypi just passed 5 million!

#Python #Packaging #PyPI

Michał Górny
2 months ago

A czy wiecie, że #Yandex, prawdziwie zła korporacja w służbie prawdziwego złego państwa, automatycznie zarejestrowała prawie 1200 projektów na #PyPI? Najwyraźniej służą "zapobieganiu atakom typu Dependency Confusion wobec Yandeksu". Choć wiele z nich faktycznie przypisanych jest do przestrzeni nazw "yandex-*", zarejestrowano również całkiem przypadkowe nazwy jak "selenium2mysql", "browser", "feedback", "git-pre-commit-hook", "parametrized", "easy_install" (ten ostatni został usunięty przez adminów)…


Michał Górny
2 months ago

Did you know that #Yandex, the evil corporation of the evil state, has automatically registered almost 1200 projects on #PyPI? Apparently they are meant "to prevent Dependency Confusion attacks against Yandex". While many of them are indeed "yandex-namespace", they also registered random names like "selenium2mysql", "browser", "feedback", "git-pre-commit-hook", "parametrized", "easy_install" (removed by admins already)…

#Python #RussiaIsATerroristState

SnowJ ❄
2 months ago

Scratch your own itches, they say.

Today's itch is repeatedly asking what version of [package] introduced an incompatible requirement on [other package], so I wrote a small #Python tool for querying the #PyPI JSON APIs to get an answer.

2 months ago

At @codethink we care heavily about safety and we are eager to share this article about the dangers you could possibly face while using a very popular platform.

Learn how to make the most of PyPI while protecting yourself from security risks. In this blog, you will find insightful information on the potential dangers of PyPI and how you can navigate around them safely.

Read the full blog:

#PyPI #Mirroring #Python #Pip #OpenSource #FreeSoftware

Michael Aye
2 months ago

Activated #2fa for #pypi today. Was amazingly pain free using a Yubikey and Authy, even under Linux.

2 months ago

Und da ist das gute Stück 😎
Die #ETA Schnittstelle verfügbar in Python via #PyPi

Nehm ich jetzt auch gleich bei mir hier um mit nem kleinen Script Änderungen bei meinen Eltern daheim an den Ladezeiten mitzubekommen. :awesome: Mein Dad stellt da gern rum.

Neil :emacs: :orgmode:
2 months ago

I've blogged previously about Python Packaging and described how to automate publishing to PyPI when your project is hosted on GitHub.

I've now worked out how to do this from GitLab and so have written that up too...

#gitlab #pypi #publishing #ci

📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #39/2023 is out! It includes the following and much more:

➝ 🔓 #GitHub repos bombarded by info-stealing commits masked as #Dependabot
➝ 🇯🇵 💸 #Sony Investigating After Hackers Offer to Sell Stolen Data
➝ 🔓 #BORN Ontario child registry #databreach affects 3.4 million people
➝ 🇭🇰 🔓 Personal data of 25,000 Hongkongers at risk after #cyberattack against consumer watchdog, up from earlier estimate of 8,000
➝ 🇺🇸 🔓 National Student Clearinghouse data breach impacts 890 #schools
➝ 🇨🇦 ✈️ #AirCanada discloses data breach of employee and 'certain records'
➝ 🇰🇵 🇪🇸 North Korean hackers posed as #Meta recruiter on #LinkedIn
➝ 👥 ShadowSyndicate: A New #Cybercrime Group Linked to 7 #Ransomware Families
➝ 🇷🇺 ✈️ Russian flight booking system suffers ‘massive’ cyberattack
➝ 🇨🇳 🇺🇸 Chinese hackers stole emails from US State Dept in #Microsoft breach, Senate staffer says
➝ 🇨🇳 Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
➝ 🇺🇦 🚀 Ukrainian Military Targeted in Phishing Campaign Leveraging #Drone Manuals
➝ 🥷🏻 💰 Hackers steal $200M from #crypto company #Mixin
➝ 🇳🇬 ⚖️ Nigerian man pleads guilty to attempted $6 million BEC email heist
➝ 🇺🇸 ⚖️ ShinyHunters member pleads guilty to $6 million in data theft damages
➝ 🇨🇳 #China-Linked Budworm Targeting Middle Eastern #Telco and Asian Government Agencies
➝ 🇨🇳 🚪 Backdoored firmware lets China state hackers control #routers with “magic packets”
➝ 🇺🇸 👮🏻‍♂️Security researcher warns of chilling effect after feds search phone at #airport
➝ 🦠 ❗️FBI Warns Organizations of Dual Ransomware, Wiper Attacks
➝ 🤖 🦠 #Bing Chat responses infiltrated by ads pushing #malware
➝ 🏥 🎣 Red Cross-Themed #Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors
➝ 🥷🏻 🐍 #SSH keys stolen by stream of malicious #PyPI and #npm packages
➝ 🏦 🎠 New Variant of #Banking #Trojan BBTok Targets Over 40 Latin American Banks
➝ 🦠 🚪 #Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
➝ 🚀 #Sysdig Launches Realtime Attack Graph for Cloud Environments
➝ 🐛 📨 Critical vulnerabilities in #Exim threaten over 250k #email servers worldwide
➝ 🔓 Progress warns of maximum severity WS_FTP Server vulnerability
➝ 🩹 🔥 #Google fixes fifth actively exploited Chrome zero-day of 2023
➝ 🩹 🍏 #macOS 14 #Sonoma Patches 60 #Vulnerabilities
➝ 🩹 🦊 #Firefox 118 Patches High-Severity Vulnerabilities
➝ 🤫 ✅ Google quietly corrects previously submitted disclosure for critical #webp 0-day
➝ 👀 🇪🇬 0-days exploited by commercial surveillance vendor in #Egypt

📚 This week's recommended reading is: "Philosophy of Cybersecurity" by @LukaszOlejnik and Artur Kurasinski

Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️

2 months ago

Publish Python packages to PyPI with Poetry

While working in my pyxavi #Python library I was wondering how complicated would it be to publish it as the rest of the packages I use often. How difficult is to build and distribute a project through #PyPI? In this article I go through the steps of building and publishing a Python package into PyPI with #Poetry for everyone to use it.

2 months ago

Got a problem with GitLab CI and Variables not being shown on pipelines triggered by $CI_COMMIT_TAG

If anyone has experience/ideas details are at

#gitlab #ci #pypi #python

Hugo van Kemenade
2 months ago

Some findings from the annual #Python survey by @ThePSF & #JetBrains

93% use Python 3.

The latest Python is used by most people (3.10 at the time of they survey), with each older release the next most popular: 3.10, 3.9, 3.8, 3.7, 3.6...

This is interesting as current #PyPI download stats show 3.8, 3.7, 3.9, 3.10, 3.11... There's a big skew for 3.7 from certain Linux distros (

@pillow remains around ~30%.

More than 90% of respondents have already implemented Python 3, so can be said to have already achieved mainstream acceptance.

The number of Python 2 users has remained nearly the same for the last 3 years, below 7%. Nevertheless, some people still use version 2 for data analysis (29%), computer graphics (24%), and DevOps (23%).
Python 3 versions

3.10 45%
3.9 23%
3.8 9%
3.6 4%
3.5 and lower 2%

Please note that the survey took place October 14 – November 14, 2022, and Python 3.11 was only released on October 24, 2022.
Other frameworks and libraries

Requests 48%
Pillow 29%
Asyncio 25%

Though the top-3 frameworks have not changed compared to 2021, Requests has ceded 4 percentage points to httpx.
Seth Michael Larson
2 months ago

50,000 folks have enabled 2FA on #PyPI! 👏👏👏 Thanks everyone who's done their part to keep the #Python ecosystem safe.

Have you done your part and enabled 2FA? 🤔

Read how:

Graph showing over 50,000 users have 2FA enabled on PyPI
Yann Büchau :nixos:
2 months ago

🚀 sdfCAD is now available on PyPI!

With this release I added some more shape inspection routines:

- obj.bounds returns [x,x,y,y,z,z] bounds
- obj.volume() brute-forces the object's volume

Both are still a little wonky, though. Lots of iterative optimization under the hood, that can go wrong...

Still useful to e.g. check programmatically if two shapes intersect. That's something #OpenSCAD can't do. 😉

#sdfCAD #PyPI #Python #3dprinting #3dmodelling #3ddesign #CAD

2 months ago

And we just keep finding more #malware. Another large multi-ecosystem campaign targeting #npm and #pypi.

Exfiltrating SSH keys and Kubernetes configuration files 😬

#infosec #opensource #javascript #python #cyberattack

Hugo van Kemenade
3 months ago
Siddhant Goel 👨🏻‍💻
3 months ago

What's the best way to get download statistics for a specific Python package uploaded on the PyPI?

I'm interested in stuff like total downloads since being published, monthly download count, etc.

#python #pypi

Alex Willmer
3 months ago

For itertools.combination(), itertools.permutations(), itertools.product() ... but as Sequences with random access (like range()) try python_toolbox.combi

>>> perms = python_toolbox.combi.PermSpace('ABCD')
>>> len(perms)
>>> perms[3]
<Perm: ('A', 'C', 'D', 'B')>
>>> perms.index(('B', 'C', 'D', 'A'))

#Python #PyPi #Combinatronics

3 months ago

ℹ️ He actualitzat #PyXavi a la versió v0.3.3, sol.lucionant un problema de dependències amb #PyYaml, que van publicar la 6.0 que al seu torn està trencada i es sol.luciona amb la 6.0.1

La versió ja està publicada a #PyPI

Coses de #Python :python:

Thanks @github for the docs update!
New page on how to enable #GitHubActions trusted publishing to @pypi

More detailed (with pictures 🖼️ ) authored by @yossarian and other contributors!

#Python #PyPI #security #oidc

Barry Schwartz 🫖
3 months ago

I have animated a two-channel ‘CHSH’ Bell test experiment, as a #Python program. It is on #PyPI at

If you read the source code, it will give an explanation of how the #simulation works. I STRONGLY encourage close study of the source code, for the reader to see that it is legitimate.

#Quantum #Physics #QuantumComputing #Mathematics

Tenho muita preguiça de aprender/cuidar de certas coisas que seriam muito úteis e legais :(

Exemplo: publicar um pacote #Python no #PyPI

Contexto: fiz um fork de um plug-in do #ThonnyIDE que formata código com #black, e mudei o plug-in para formatar usando #blue (pois eu prefiro aspas simples).

Para que outras pessoas possam usar, eu precisava publicar a minha versão do plugin no PyPI, mas quem disse que eu tenho a manha de fazer isso?

É um misto de bloqueio com burocracias, inércia, preguiça, tudo misturado. Sei que não é super difícil, eu poderia, sei lá, assitir a live do @dunossauro sobre empacotamento, mas é muito muito *difícil pra mim*.

Se você não tem esses bloqueios que eu tenho, tem essa Live de Python aqui ó, com o querido @ayharano ainda por cima!

Matthew Martin ☑ ✅📛
4 months ago

How do #pypi packages go viral? (or #github repos for that matter)

Conference talks? Is reddit (or reddit like things) doing it?

Seth Michael Larson
4 months ago

@pypi now requires #2FA for new user registrations in order to publish or create new projects. This is part of a broader effort to require 2FA for all users of #PyPI by the end of 2023.

#Python #Security #Opensource

David Runge
5 months ago

It seems we'll have a lot of "fun" with the #PyPi decision to remove signatures for sdist tarballs ( going forward.

To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!

I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile #reproduciblebuilds is now broken for those packages.

#ArchLinux #packagerlife #Python

Seth Michael Larson
5 months ago

Everyone loves a PR that deletes code!


But what about deleting code AND increasing your #Python package's security? 🤯

That's exactly what #PyPI Trusted Publishers are for. If your project uses #GitHub then consider adopting them today! 🚀

Git commit diff that shows removing authentication config for publishing to PyPI in favor of OpenID Connect using trusted publishers.
Hugo van Kemenade
6 months ago

🥚 ❌
🛞 ✅

Following PEP 715, @pypi has deprecated the old egg format, use wheel instead.
#Python #egg #wheel #PEP715 #bdist_egg #bdist_wheel #PyPI

@python_discussions The open, decentralised, federated git has this:… .

So if you need some additional argument (besides e.g. these:… ) to give up #github then you already have :-)

#forgejo #pypi #python #GiveUpGitHub
Seth Michael Larson
6 months ago

#PyPI will now enforce use of Trusted Publishers or API tokens for uploading distributions if the user has 2FA enabled:

If your package is hosted on GitHub, I highly recommend checking out Trusted Publishers instead of API tokens. You can find official documentation on how to use Trusted Publishers with PyPI here:

Matthew Martin ☑ ✅📛
7 months ago

#pypi is doing the right thing and requiring 2 factor for all package uploading. It should be much harder to take over abandoned packages by using leaked passwords. I guess I also need to learn how to do the 2nd factor, or maybe just switch my publishing to github actions

Seth Michael Larson
7 months ago

#PyPI to enforce non-SMS 2FA for all package maintainers by the end of 2023, excellent work PyPI team to keep the #Python ecosystem safe! 💪

New blog: Securing PyPI accounts via Two-Factor Authentication, from @dstufft

#Python #PyPI #security

Seth Michael Larson
7 months ago

The #PyPI team has been killing it lately, removing the ability to upload new PGP signatures following @yossarian's audit of PGP on PyPI 🚀

Veit Schiele
7 months ago

Wheel metadata are now available directly on the PyPI – this eliminates the need to download and unpack the entire wheels and then analyse the metadata and especially the dependencies:
#Python #Packaging #PyPI

7 months ago

"PyPI new user and new project registrations temporarily suspended" due to high levels of malicious package uploads.
Absolutely the right decision by the PyPI administrators, take all the time you need 🤗

#python #PyPI #infoSec #malware

Andrew C
7 months ago
Thomas Wouters
7 months ago

I've mentioned it before, but in case you missed it and are interested in working for @ThePSF to improve PyPI...

#PyPI #Python #Hiring

Both the new Flask and Werkzeug releases use PyPI's new OIDC trusted publisher integration with GitHub Really easy to set up and use, no more managing tokens manually. #Python #PyPI

Live launch from the floor of @PyConUS

Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.

#python #pycon #pyconus #pyconus23 #security #oidc #pypi

Hynek Schlawack
8 months ago

cool, #Codecov just silently yanked the codecov package completely from #PyPI

In the middle of a PyPI data migration no less.


Latest attack on #PyPI users shows crooks are only getting better
More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the #Python #programming language, in the latest indication that the targeting of software developers using this form of attack isn't a passing fad.

Matthew Martin ☑ ✅📛
10 months ago

You know what would be nice? Having to opt into downloading a pypi package from any account that is less than 12 months old. This would kill typosquatting & give malicious package detectors enough time to find the bad before people install by accident.

#pypi #python

On November 22, 2022, Flask and Werkzeug downloads per day dropped about 1 million. But I can't find a corresponding rise in any other framework, so I can only assume some service started caching PyPI much better.*&versions=2.*&versions=1.*&versions=* #Python #PyPI