back to article PyPI subpoenaed: US govt demands data on developers

In March and April, three subpoenas seeking data on users of PyPI, the Python Package Index, were presented to the Python Software Foundation (PSF). PyPI is a repository for distributing third-party Python software packages – sets of files that provide Python developers with specific functionality. The subpoenas – legal …

  1. mpi Silver badge

    Well, whos surprised? Not this guy.

    Of course I don't know what these subpoenas where about, but considering ...

    https://www.bitdefender.com/blog/hotforsecurity/supply-chain-attack-detected-in-pypi-library/

    https://arstechnica.com/information-technology/2021/11/malware-downloaded-from-pypi-41000-times-was-surprisingly-stealthy/

    https://www.esecurityplanet.com/threats/supply-chain-flaws-found-in-python-package-repository/

    https://labs.sogeti.com/analysis-of-the-biggest-python-supply-chain-attack-ever/

    https://portswigger.net/daily-swig/dependency-confusion-attack-mounted-via-pypi-repo-exposes-flawed-package-installer-behavior

    https://blog.sonatype.com/another-day-of-malware-malicious-botaa3-pypi-package

    https://threatpost.com/cryptominers-python-supply-chain/167135/

    ... all of that, I think I'm not leaning too far out the window if I hazard an educated guess. And these aren't even cherry picked, I just copy-pasted the first few results from a quick websearch.

    Supply chain attacks are a serious problem in the python ecosystem. A problem that needs to be addressed. That includes investigations by authorities. And where else are authorities supposed to start looking?

    1. sabroni Silver badge
      WTF?

      Re: Well, whos surprised? Not this guy.

      Supply chain is a problem, therefore it needs to be addressed, therefore the state get involved. Because the state would never leave something that was a problem, right? Not if it was causing problems for software developers....

      The world doesn't work like this.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well, whos surprised? Not this guy.

        Sure but, PyPi having 3 people Moonlight for security?

        Security doesn't work like that.

        PyPI is clearly a security mess, that's public at this point, but I think the names of these individuals have been requested for tracking purposes rather than internally to PyPi. If they were requested for activity related to PyPi I think the government would let them know and that would also be part of the news.

        1. Version 1.0 Silver badge
          Pirate

          Re: Well, whos surprised? Not this guy.

          Python was designed to make it very easy to create extremely effective and reliable applications, Python has done a fantastic job and is universally popular and applied these days ... but easy to create and highly reliable applications have the option of hacking for some programmer creators too ... this is not a criticism (or even a joke) but I wonder how many copies of Python are installed at the NSA and other countries related organizations too?

  2. Anonymous Coward
    Anonymous Coward

    Curious About Other Sources For Python Packages

    As a long term RH/Fedora user, it's obvious that the usual RH/Fedora bare metal install includes many many Python RPM packages.

    But I'm completely in the dark about the route taken by these RPM-based packages till they end up installed on my machine.

    Are the Python RPM packages at risk in the same way as PyPi packages?

    1. doublelayer Silver badge

      Re: Curious About Other Sources For Python Packages

      Basically, yes. They're created by your distro's package maintainers. Those maintainers are an extra layer between you and the source, but who knows where they're getting the source from. Probably they're just using the original repos for the libraries, and if those sources are compromised and they're not aware, those packages could also be attacked. That's true of any other packages those maintainers allow through as well. Responsible distros have maintainers who do a lot of checking on such things, which probably indicates that the packages they allow are better than unverified ones, but probably does not mean certainly.

      However, the ones installed by default are likely to be the much more common packages which are more rigorously checked for changes and secured from replacement. The more dangerous ones tend to be the ones that are created by one person, meaning that if an attacker gets the access necessary to embed some malware, that person is less likely to detect quickly that it has happened. Other Python packages are certainly in your package repositories, and those may not be as secure.

  3. Cliffwilliams44 Silver badge

    If the Fed requested you to open you safe at home the subpoena would need to state what the crime/case the request is for!

    But because this is for a 3rd party internet organization we can just obfuscate all that?

    This is the problem with judges who have no f'ing clue!

  4. Joe Gurman

    5 points to Gryffindor....

    ....for the subhead.

  5. david1024

    The tragedy of the commons claimed the internet 20 years ago and these folks missed the memo.

    If they want a wild wild west, that's fine, just give us a curated path too. Besides, leaving it to the users stopped being a viable solution in the late 80's. (Ask Bill about defaults)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like