Hacker News new | ask | show | jobs
by tylfin 1777 days ago
There is the "Yank" PEP 592 semantic that can be used to mark vulnerable packages. It's adoption has been a little slow, but I agree, having these packages available and marked accordingly makes it easier for security scanning and future detection research.

https://www.python.org/dev/peps/pep-0592/
2 comments
gunapologist99 1777 days ago
Even better would be allow their install, but to have them start up with an immediate panic() sort of function (i.e., print("This package has been found to be malicious; please see pypi/evilpackagename for details"); sys.exit(99)) to force aborts of any app using those packages.
link
blamestross 1777 days ago
python packages run arbitrary code at install/build time, so this isn't viable.
link
qwertox 1777 days ago
It's no longer arbitrary if the PyPI crew is the one who controls the code, or did I understand you wrong?
link
blamestross 1777 days ago
Just that it isn't as simple as adding the lines to when the code gets executed. I think I misunderstood you, instead of prepending the code you are suggesting the entire compromised package get replaced with `throw "You got Hacked"` at import time.
link
qwertox 1777 days ago
Correct, when the program starts to run and imports the modules, as nothing will make admins more aware that something is really wrong here. Maybe raise an exception which, if not handled, executes sys.exit() with a predefined code.

And some mechanism to detect this at install/build time as well, so that automated built systems can cleanly abort a build and issue a specific message which can then be forwarded via email or SMS through some custom code.

The entire package gets replaced by a standardized, friendly one. No harmful code gets downloaded.

link
corty 1777 days ago
Denial of Service by panicing is also harmful for some processes.
link
akx 1777 days ago
.whl packages don't run arbitrary code, they're just zips.
link
RulerOf 1777 days ago
Skimming through that link, it seems that `yank` is for pulling _broken_ packages, whereas the suggestion above is to explicitly mark them as malicious.
link
blamestross 1777 days ago
Should we call the "mark them malicious" version "Yeet" or "Yoink"?
link
vagrantJin 1777 days ago
Good point. The keyword for uninstall and remove residual files should be Yeet indeed.

Downloading the latest, bleeding edge version should be Yoked

pip install yoked <package>

link
RulerOf 1777 days ago
`npm yeet malcious-package`
link