←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 2 comments | 14 Nov 24 14:25 UTC | HN request time: 0s | source
Show context
krnavy ◴[14 Nov 24 15:50 UTC] No.42137406[source]
After 2FA, the previous PyPI buzzword that was forced on everyone, JFrog discovered a key leak that compromised everything:

https://news.ycombinator.com/item?id=40941809

JFrog also discovered multiple malicious package exploits later.

Now we get a Github centric new buzzword that could be replaced by trusted SHA256 sums. Python is also big on business speak like SBOM. The above key leak of course occurred after all these new security "experts" manifested themselves out of nowhere.

The procedure remains the same. Download a package from the original creators, audit it, use a local repo and block PyPI.

replies(4): >>42138028 #>>42138937 #>>42143607 #>>42144668 #
zahlman ◴[15 Nov 24 03:00 UTC] No.42143607[source]
After reading the underlying report (https://jfrog.com/blog/leaked-pypi-secret-token-revealed-in-...), I can't help but think: "where is the defense in depth?" Since `.pyc` files are just a cache of compilation that's already generally pretty quick, this could have been prevented by systems that simply didn't allow for pushing them into the Docker image in the first place. Or by having `PYTHONDONTWRITEBYTECODE=1` set on the developer's machine.

(Also, now I'm trying to wrap my head around the fact that there's such a thing as "Docker Hub" in the first place, and that people feel comfortable using it.)

replies(1): >>42145318 #
1. akx ◴[15 Nov 24 09:38 UTC] No.42145318[source]
> now I'm trying to wrap my head around the fact that there's such a thing as "Docker Hub" in the first place

Unless you build all of your images `FROM scratch` by default (or use in-house registries or quay or whatnot for all of your base images), you've used Docker Hub too...

replies(1): >>42146055 #
2. guappa ◴[15 Nov 24 11:46 UTC] No.42146055[source]
Yeah at work we build our images from scratch of course.