|
Security verification of Python "pip" packages?
|
|
Aug-23-2017, 09:00 AM
Hi,
I was wondering if there is any malware checking performed on python packages before they are made available through the "pip" repository, or can anyone upload any code / packages they like? Sorry for being so paranoid, Neil
Aug-23-2017, 12:28 PM
As far as I know, there are no security measures at the moment (for any repository, for that matter). The best method would be to read the code which, of course, can be impractical. Stick with well known packages, if you have a package with 50,000 downloads and another with 1 download, you'd probably be better served using the first. Running your code in a virtual environment may also afford you some level of protection. Make sure you are installing the "correct" package. There are a number of packages with similar names. So, for example, make sure you install "scipy" and not "scipi". As with any software, the best security is to be smart and use commonsense. When in doubt, don't!
If it ain't broke, I just haven't gotten to it yet.
OS: Windows 10, openSuse 42.3, freeBSD 11, Raspian "Stretch" Python 3.6.5, IDE: PyCharm 2018 Community Edition
i have blindlessly installed packages for years, some not even on pypi, but in butbucket and github and never once looked at their code for malicious content. Some have been very few downloads, and/or unpopular packages. I have never once had a problem.
I must admit though i am on linux and i often reinstall my OS every 6 months or so to get the latest, but also purge all the crap from my system...mostly my own crap i installed/downloaded/modified, etc. There has never once been an incident that i am aware of with malware in pypi. Thats whats great about open source. There are so many eyes on it, that it most likely would be noticed before too long, then that author would be blacklisted.
Recommended Tutorials:
Aug-23-2017, 12:49 PM
(Aug-23-2017, 12:41 PM)metulburr Wrote: butbucket Seriously? I would not want to download anything from there  I should mention, there has been (is?) an ongoing effort towards security using The Update Framework (TUF) see more here: TUF and Pythons "pip" here: pip and TUF
If it ain't broke, I just haven't gotten to it yet.
OS: Windows 10, openSuse 42.3, freeBSD 11, Raspian "Stretch" Python 3.6.5, IDE: PyCharm 2018 Community Edition
Aug-23-2017, 01:08 PM
Thanks for all your responses. Really helpful.
I like sparkz_alot's suggestion of the number of times a package has been downloaded (although I suspect even this could be artificially increased). Is there an easy way to find out how many times a package has been downloaded (ideally the times it has been installed through the "pip" command)?
Aug-23-2017, 02:07 PM
I am on Arch Linux most of the time and I don't care about security so much. All my sensitive information like documents or bank accounts are on another Linux system with encrypted partition.
Aug-23-2017, 02:35 PM
(Aug-23-2017, 01:08 PM)futurity Wrote: Is there an easy way to find out how many times a package has been downloaded (ideally the times it has been installed through the "pip" command)? pip install vanityYou get a overview of months and year download,with a finish sum. Example: vanity requests requests has been downloaded 103009497 times! WolframAlpha: 103 million 9 thousand 497 vanity numpy numpy has been downloaded 13936536 times! WolframAlpha: 13 million 936 thousand 536 |
|
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| Use Python Packages to Increment a Column(not a row) | ricmacharia | 0 | 1,833 |
Jun-10-2019, 09:57 AM Last Post: ricmacharia |
|
| Python Packages for Excel | ImranBhatti | 8 | 128,733 |
Oct-03-2018, 04:58 AM Last Post: pcsailor |
|
| How to use/install different versions of Python packages (Scipy) on the same system? | gzb001 | 3 | 6,086 |
Nov-07-2016, 12:56 AM Last Post: Blue Dog |
|
