[vicktorium]

very interesting

i wonder about the over-dependence on third party packages and modules

imagine the author of 'is-odd' injects a trojan there

what are you gonna do?

C has this solved but 'vendoring' is not as fast as this approach

[SethMLarson]

The recommended guidance is either vendoring dependencies or pinning to hashes (pip --require-hashes, poetry.lock, pipfile). When updating your dependencies you should review the actual file getting downloaded.

Compiled binaries are harder, you might consider compiling them from source and comparing the output. This is where build reproducibility comes in to play.

There's a lot more coming in the Python packaging security space that'll make this easier and just safer in general. Stay tuned :)

[guappa]

Pinning… I wrote a library in python. The initial versions were to get it to work. Later I made the code much more efficient.

Of course 90% of the downloads come from the pinned old versions.

They were so inefficient… and are still contributing to create waste even though the new releases are like 20x faster.

[BirAdam]

Well… sort of. C has become a standard with several implementations. It gains supply chain security by being decentralized. Likewise, it has many package managers with different repos for language specific things, and it then has many package managers and repos if we consider UNIX/Linux systems C development environments with dynamic linking and the like.

The issue is, for any given implementation, similar attacks could still happen, and the package repos are still probably vulnerable.

[guappa]

> C has this solved

It hasn't… but C developers are much more careful about adding a dependency than js/python/rust/go developers. Mostly because adding a dependency in C is more annoying. In those languages it's just about adding one line.

Of course if you use a distribution and it's a famous library, it's to add a line as well. But then there is the filter of the distribution. Which would work for any language, but most developers vendor everything instead.

[chuckadams]

> C has this solved

"Reflections on Trusting Trust" was a demonstration of this in the C ecosystem long before package managers were a thing.

[richbell]

You can't do much beyond setting up a corporate proxy that blocks or inspects outbound connections. Even then, you're relying on luck.

These days it's practically a necessity for companies to shell out money to some sort of supply-chain protection software (Sonatype, Socket.dev etc.)

[lanstin]

Make the corporate proxy use an allow list only. Even then you fall prey to official PyPi hacked packages, but at least then the cryptominers or discord cred stealers can’t phone home.

[kjok]

> These days it's practically a necessity for companies to shell out money to some sort of supply-chain protection software (Sonatype, Socket.dev etc.)

A number of some serious assumptions here. How can you be sure that you’re protected if you spend money on these commercial tools? It’s an arms race after all. There are other ways to protect yourself (pinning dependencies, allow list). A few open source tools are also available to audit code.