If you're using the ctx Python package, bad news: Vandal added info-stealing code The Python Package Index (PyPI), a repository for Python software libraries, has advised Python developers that the ctx package has been compromised. Any installation of the software in the past ten days should be investigated to determine whether sensitive account identifiers stored in environment variables, such as cloud …
PyPI should have instituted certificate-based hashing from the very beginning, but it's always been a very loose and marginally run collection of useful Python packages. Much like NPM and other open-source repos, professionalism and security never seemed to really seemed to be important, just uptime and speed to rollout, especially compared to the interpreter projects that are buttoned up tight. (Only one really does it right: Cargo/Crates.io is run by the Rust team itself, which is attached to Mozilla, and is locked down quite tight from the developer side. A simple password reset to a squatted domain isn't going to be possible.)
PyPI began in 2000, and was wildly in flux until 2003-4. By then the world was flooded with hacks of all kinds and knowledge of good security practices were being widely disseminated to everyone, not just academics and enterprise engineers. There was no excuse for not building it in -- or at least bolting it on -- at any time afterward with a drop-dead cutoff for older insecure authentication, as the platform became more important and more widely relied on.
You can't blame Python, this is normal in the Open Sauce environment, most of the time the new sauce is nice and tasty but occasionally it's got too much salt and pepper.
I'll rework an old quote to today's world ... "If it turns out that there is a Open Source Coding, I don't think that it's evil. But the worst that you can say about it is that basically it's an underachiever." - Woody Allen (updated).
This post has been deleted by its author
We use private nexus3 pypi repos where we add packages when safety or snyk complains about outdated packages.
You can also simply create a parser for https://www.cvedetails.com on python. I'm pretty sure pypi is already full of them. The main drawback of cve is the long delay from it is being discovered until a cve is issued. but this can be solved by only using popular packages and wait some time until upgrading.
Why parse cvedetails and not the cve feeds themselves? From what I can tell the json or xml (if xml is still going) contains the same info with reduced risk of change.
Not an accusatory question, but unless we work at the same place then multiple people go the cvedetails rather than cve route but I dont see why
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
