Check for known vulnerabilities¶

• https://github.com/pyupio/safety-db and https://pyup.io/

• safety package: Safety checks your installed dependencies for known security vulnerabilities.

GPG¶

• Verifying PyPI and Conda Packages by Stuart Mumford (2016-06-21)

• Sign a package using GPG and Twine

pip security¶

• pip: Implement “hook” support for package signature verification

PyPI¶

• PEP 458 – Surviving a Compromise of PyPI (27-Sep-2013)

• PEP 480 – Surviving a Compromise of PyPI: The Maximum Security Model (8-Oct-2014)

• Making PyPI security independent of SSL/TLS by Nick Coghlan

Vulnerabilites in the Package Index¶

PyPI typo squatting¶

• Typosquatting programming language package managers by Nikolai Tschacher (8 June, 2016)

• LWN: Typosquatting in package repositories (July 20, 2016)

• Building a botnet on PyPi by Steve Stagg (May 19, 2017)

• warehouse bug (pypi.org): Block package names that conflict with core libraries (reported at June 28, 2017)

• 2017-09-09: skcsirt-sa-20170909-pypi-malicious-code advisory

fate0:

• 2017-05-27 04:38 - 2017-05-31 12:24 (5 days): 10,685 downloads

• May-June, 2017

• https://mail.python.org/pipermail/distutils-sig/2017-June/030592.html

• http://blog.fatezero.org/2017/06/01/package-fishing/

• https://github.com/pypa/pypi-legacy/issues/644

• http://evilpackage.fatezero.org/

• https://github.com/fate0/cookiecutter-evilpy-package

• Packages (this list needs to be validated):

  • caffe

  • ffmpeg

  • ftp

  • git

  • hbase

  • memcached

  • mkl

  • mongodb

  • opencv

  • openssl

  • phantomjs

  • proxy

  • pygpu

  • python-dev

  • rabbitmq

  • requirement.txt

  • requirements.txt

  • rrequirements.txt

  • samba

  • shadowsock

  • smb

  • tkinter

  • vtk

  • youtube-dl

  • zookeeper

  • ztz

  • …

Example of typos:

• urllib, urllib2: part of the standard library

• urlib3 instead of urllib3

Links¶

• The Update Framework (TUF): Like the S in HTTPS, a plug-and-play library for securing a software updater.