←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 1 comments | 14 Nov 24 14:25 UTC | HN request time: 0.205s | source
Show context
krnavy ◴[14 Nov 24 15:50 UTC] No.42137406[source]
After 2FA, the previous PyPI buzzword that was forced on everyone, JFrog discovered a key leak that compromised everything:

https://news.ycombinator.com/item?id=40941809

JFrog also discovered multiple malicious package exploits later.

Now we get a Github centric new buzzword that could be replaced by trusted SHA256 sums. Python is also big on business speak like SBOM. The above key leak of course occurred after all these new security "experts" manifested themselves out of nowhere.

The procedure remains the same. Download a package from the original creators, audit it, use a local repo and block PyPI.

replies(4): >>42138028 #>>42138937 #>>42143607 #>>42144668 #
1. pabs3 ◴[15 Nov 24 07:31 UTC] No.42144668[source]
> Download a package from the original creators

Don't download packages from PyPI, go upstream to the actual source code on GitHub, audit that, build locally, verify your build is the same as the PyPI one, check the audits people have posted using crev, decide if you trust any of them, upload your audit to crev too.

https://reproducible-builds.org/ https://github.com/crev-dev/