As the news of two malicious Python packages in PyPI spread across the Internet, I started revisiting all the hours our team at Freedom of the Press Foundation spent to think about these exact kind of attacks the ways of mitigation. In this particular case, the attackers used typosquatting to get similar project names and sent in malware-ridden code via the same.

I gave a talk Building reproducible Python applications for secured environments at PyCon US this year on the mitigation processes we follow. In simple words, we verify every source code update by reading the changes manually (with human eyes+tools) and then build and store wheel files on our index. Everything also gets verified via GPG signatures and known sha256sums.

We also publish the verification results on a wiki page and mail to the diff-review mailing list. Feel free to join in there and also let others know.

Video for the week

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Or you can find me on fediverse https://toots.dgplug.org/@kushal.