'[oss-security] Supply Chain Issues in PyPI'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Supply Chain Issues in PyPI
From:       Stian Kristoffersen <wayphinder () gmail ! com>
Date:       2023-09-21 20:10:15
Message-ID: CAKK2xXj0KVXv=6Lm3_4=Y8QOuh7tDqhOnKh_2sJzwz3trPE9Tw () mail ! gmail ! com
[Download RAW message or body]

Here is a summary of some security research into the PyPI ecosystem:

https://stiankri.substack.com/p/supply-chain-issues-in-pypi

It includes:

 - A PyPI upload Denial of Service vulnerability.

 - Challenges with reproducibility in the PyPI ecosystem.

 - Distribution Confusion in PyPI: a new way to distribute malicious
packages. Including how it affects Pip and Poetry.

 - Manifest Confusion in PyPI: how package managers and security
scanning tools resolve dependencies in different ways.

Best regards,
Stian Kristoffersen
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic