I think I have finally™️ (for the third or so time) found myself a solution for :python: #Python development on :nixos: #NixOS that allows me to just work with #pythonPoetry et. al. as on other distros.
The solution is to pre-build an FHSUserEnv in your configuration.nix, e.g. like this¹.
When starting Python dev work, I now execute fhs (it's fast!), or directly fhs -c 'poetry shell' and everything works as expected, including #PyPI wheels etc.
Very cool to see some of the hard work we’ve been doing at #ActiveState for #Python packaging with #PyPI Trusted Publishing being made available to everyone today
@Rob_Bos Great! naming-confusion is indeed a big issue and becoming more prominently present in the open source world, which is not good. I'm a package maintainer for various projects, and I notice that my projects also get cloned with malicious code. Too bad PyPi isn't handle those security issues fast enough IMO.
#Python bundles xz v5.2.5 and earlier which don't contain the backdoored binary files. #PyPI is also not affected due to using Debian Bookworm, not Sid.
Querying PyPI packages and Python Dockerhub images doesn't show any xz 5.6.x binaries.
From what I've gathered from others, the backdoor appears to target sshd (SSH server) on glibc-based distros, so if you're using Ubuntu or Fedora check that you aren't affected.
On install they decrypt Fernet encrypted code, which loads further code from https://funcaptcha[.]ru/paste2?package=asyncioo (replace the parameter with the package name).
I was blocked from accessing that code (am on mobile right now, so I don't have the means to investigate for real, Fernet decryption was already fun :abloblamp: ).
On this #PiDay, we want to remind you that our love for #python is infinite! Give the unique and unrepeatable love of Python* to yourself or a friend 💙💛 grab the @nostarch Humble Bundle today!
:python: Lazarus Exploits Typos to Sneak PyPI #Malware into #Dev Systems:
The notorious #NorthKorea'n state-backed hacking group Lazarus uploaded four packages to the #Python Package Index (#PyPI) repository with the goal of infecting #develop'er systems with malware.
#pypi#python - Did someone already write a tool to front run safety or pip-audit before anything is installed? I guess something like "poetry lock" and then audit the files for suspicious situations, like CVEs or the repo was created yesterday or the package was published yesterday.
Installing everything then running safety imho has always been !@#$!@$ stupid because the malicious code runs during install.
Looking back at 2023 @miketheman uncovered some impressive metrics that we want to share! A big thanks to Fastly- And also @awsopen for making Mike’s job possible! #thankyou#PyPI#python
Hey friends! After a long hiatus, I'm starting #streaming again - as mentioned in an earlier post, I'm going to be figuring out how to create #apt / #yum repos. I've done some very simple #pypi in the past, and may do some work on that, too. We'll see what we can get done in the time I'll be spending.
When someone republishes an identical (?) copy of a major package under their own name on #pypi, that's probably malicious right? This is a variation on typosquatting.
Inspired by @fcodvpt post about current popularity of build backends, I investigated how the popularity of build backends used in pyproject.toml evolved over time since PEP-0517 introduced them in 2015: