Skip to main content

Search

Items tagged with: pypi

It seems we'll have a lot of "fun" with the #PyPi decision to remove signatures for sdist tarballs (https://blog.pypi.org/posts/2023-05-23-removing-pgp/) going forward.

To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!

I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile reproducibility is now broken for those packages.

#ArchLinux #packagerlife #Python


Removing PGP from PyPI - The Python Package Index

PyPI has removed support for uploading PGP signatures with new releases.
blog.pypi.org
#ArchLinux #Python #pypi #packagerlife

ReversingLabs has identified a novel attack on #PyPI using compiled #Python code to evade detection in the #SupplyChain: https://www.reversinglabs.com/blog/when-python-bytecode-bites-back-who-checks-the-contents-of-compiled-python-files

When byte code bites: Who checks the contents of compiled Python files?

ReversingLabs researchers identified a PyPI attack using compiled Python code to evade detection — possibly the first PYC file direct-execution attack.
Karlo Zanki (Reversing Labs)
#Python #pypi #supplychain

Lo, thar be cookies on this site to keep track of your login. By clicking 'okay', you are CONSENTING to this.