Hacker News new | ask | show | jobs
by forsaken 2051 days ago
One of the PyPI maintainers noted:

> This is a great approach to detecting malicious code execution in Python packages.

> ... anyone want to fund making this part of @pypi?

https://twitter.com/di_codes/status/1327121326734241797

I think this is an obvious place that someone in the ecosystem could apply money and make their supply chain (and everyone else's) safer.
1 comments
woodruffw 2051 days ago
For more context: this kind of work could fit nicely into the malware auditing system that was designed and implemented as part of the RFI that the blog author originally linked to[1].

Most of the infrastructure on the PyPI side is in place[2], but the current checks are mostly proofs of concept/exercises of the new APIs to ensure that they don't atrophy.

[1]: https://discuss.python.org/t/what-methods-should-we-implemen...

[2]: https://github.com/pypa/warehouse/tree/master/warehouse/malw...

link
jwcrux 2050 days ago
I've been in touch with folks from the Open Source Security Foundation [0] who is interested in making this a centralized service.

I'm a big believer that functions like this should be centralized under a foundation like that, and have really close connections to package manager maintainers so that we can work together towards solving the problem.

[0] https://openssf.org/

link