Python Package Index now has automatic malware checks on board

Share
  • March 10, 2020

The Python Package Index (PyPI) is home to over 200,000 Python projects and has over 400,000 users. Developed and maintained by the Python community, it is under copyright of the Python Software Foundation (PSF).

In 2018, the PSF announced that they had received a monetary gift from Facebook that was to go towards implementing security features in PyPI.

SEE ALSO: Python data visualization with Bokeh

Here is what has happened so far.

Automatic malware checks

Last month, Milestone 2 of the updates was completed. This means that PyPI now has a system for automatic malware checks on board.

This high-level diagram shows how it works:

Python

Automatic malware checks. Source.

As seen in the diagram, there are three different ways the malware checks can be triggered: Either when a PyPI user uploads a new file, release or project, when a PyPI admin initiates an evaluation run, or on a schedule. Ultimately, the check should then lead to the removal of malicious packages, releases and files.

Future plans

PEP 458 was accepted in February 2020. The Python Enhancement Proposal calls for secure PyPI downloads with signed repository metadata and proposes how to integrate The Update Framework (TUF), a CNCF graduated project, with PyPI.

The work has therefore begun and should be completed within the following months. This will, according to the PSF, “enable clients like pip to ensure that they have downloaded valid files from PyPI and equip the PyPI administrators to better respond in event of a compromise.”

SEE ALSO: Python Software Foundation: Mozilla and Chan Zuckerberg Initiative are funding pip with $407,000

See more about the PyPI updates in the PSF blog post.

The post Python Package Index now has automatic malware checks on board appeared first on JAXenter.

Source : JAXenter