[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Supply Chain Issues in PyPI
From: Stian Kristoffersen <wayphinder () gmail ! com>
Date: 2023-09-21 20:10:15
Message-ID: CAKK2xXj0KVXv=6Lm3_4=Y8QOuh7tDqhOnKh_2sJzwz3trPE9Tw () mail ! gmail ! com
[Download RAW message or body]
Here is a summary of some security research into the PyPI ecosystem:
https://stiankri.substack.com/p/supply-chain-issues-in-pypi
It includes:
- A PyPI upload Denial of Service vulnerability.
- Challenges with reproducibility in the PyPI ecosystem.
- Distribution Confusion in PyPI: a new way to distribute malicious
packages. Including how it affects Pip and Poetry.
- Manifest Confusion in PyPI: how package managers and security
scanning tools resolve dependencies in different ways.
Best regards,
Stian Kristoffersen
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic