miketheman, to python
@miketheman@hachyderm.io avatar

I sat down with @hajoslyn Editor-in-Chief at @TheNewStack during #PyConUS 2024 in Pittsburgh to discuss #Python, #PyPI, #AWS, @ThePSF, #security, and more.

It was so much fun, I hope you enjoy reading/listening/watching the piece as much as I had doing it!

https://thenewstack.io/whos-keeping-the-python-ecosystem-safe/

sjvn, to security
@sjvn@mastodon.social avatar

Malicious Package 'Pytoileur' Targets Windows and Leverages Stack Overflow for Distribution https://securityboulevard.com/2024/05/malicious-pypi-package-pytoileur-targets-windows-and-leverages-stack-overflow-for-distribution/ by @sjvn

This latest poisoned Python code used Slack Overflow to advertise itself. Happy, Happy, Joy, Joy!

dubbel, to python
@dubbel@mstdn.io avatar

Reported 5 malicious packages to : numberpy, tqmmd, pandans, openpyexl, reqwestss all by the same user leemay1782.

All with the same "functionality", getting commands via a socket from dzgi0h7on1jhzdg0vknw9pp9309rxjl8.oastify[.]com and executing it.
I don't think I saw the setup.py entry_points being used as a trigger mechanism before?

sjvn, to security
@sjvn@mastodon.social avatar

Malicious #PyPI Package 'Pytoileur' Targets Windows and Leverages Stack Overflow for Distribution - Security Boulevard https://securityboulevard.com/2024/05/malicious-pypi-package-pytoileur-targets-windows-and-leverages-stack-overflow-for-distribution/ by @sjvn

This latest poisoned Python code used Slack Overflow to advertise itself. Happy, Happy, Joy, Joy! #security

fohrloop, to python
@fohrloop@fosstodon.org avatar

Can sigtore signatures be uploaded to PyPI, and is there / would there be any use for them?

I was reading through https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ and noticed the .sigstore files were only uploaded to GitHub Releases.

#python #pypi #pythonpackaging #sigstore

fohrloop,
@fohrloop@fosstodon.org avatar

@sethmlarson @yossarian

Thanks for the link! It So it seems that uploading signatures is not yet supported. Hope that PEP will help us get there. #python #PyPI #pythonpackaging #pythonsecurity

SpeechToTextCloud, to python
@SpeechToTextCloud@techhub.social avatar

Search vulnerabilities in Python packages:

$ curl -sX POST -d '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' 'https://api.osv.dev/v1/query' | jq '.vulns[].summary | select( . != null )'

=== Begin ===
"Jinja2 sandbox escape via string formatting"
"Incorrect Privilege Assignment in Jinja2"
"Insecure Temporary File in Jinja2"
"Regular Expression Denial of Service (ReDoS) in Jinja2"
"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"
"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"
"High severity vulnerability that affects Jinja2"
=== End ===

Useful jq query strings:
summary, details, aliases

Posit, to python
@Posit@fosstodon.org avatar

The April 2024 release of Posit Package Manager brings support for air-gapped PyPI repositories, more flexible curated CRAN repositories, performance improvements and more!

Learn about it in the blog post: https://posit.co/blog/posit-package-manager-2024-04-0/

miketheman, to python
@miketheman@hachyderm.io avatar

Well, another is done (for me - continue for another couple of days!)

It was excellent catching up with old friends and meeting tons of new ones. Pittsburgh was definitely a super cool vibe, 2025 should be fun too.

I'm looking forward to recharging my depleted physical batteries, so I can jump into all the important work we have ahead of us to continue to support this amazing community.

See you online somewhere!!

ucodery, to random
@ucodery@fosstodon.org avatar

Inspired by all the talk about #packaging during #PyconUS I went ahead and cut another release of my #TUI #PyPI package explorer kayak: https://github.com/ucodery/kayak/releases/tag/v0.6.0
Caution, still Very rough, still Very beta

phildini, to random
@phildini@wandering.shop avatar

Wow @brainwane one-upping @freakboy3742 ‘s “Modern Django ModelForm” with the #PyPi #Wellerman

The gauntlet has been dropped for best song performance in the #python community #PyConUS

mistersql, to random
@mistersql@mastodon.social avatar

has gotten so much better security-wise over the last year. Trusted Publisher is the best

https://docs.pypi.org/trusted-publishers/

nobodyinperson, to python
@nobodyinperson@fosstodon.org avatar

I think I have finally™️ (for the third or so time) found myself a solution for :python: development on :nixos: that allows me to just work with et. al. as on other distros.

The solution is to pre-build an FHSUserEnv in your configuration.nix, e.g. like this¹.

When starting Python dev work, I now execute fhs (it's fast!), or directly fhs -c 'poetry shell' and everything works as expected, including wheels etc.

¹https://gitlab.com/nobodyinperson/nixconfig/-/blob/main/fhs.nix?ref_type=heads

cc @publicvoit

pypi, to python

PyPI package maintainers can now publish via Trusted Publishing from three additional providers:

  • GitLab
  • Google Cloud
  • ActiveState

They join GitHub Actions to support publishing without long-lived passwords or API tokens.

#pypi #python
https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/

hugovk, to python
@hugovk@mastodon.social avatar

I have a little site that shows the most downloaded packages from PyPI, updated monthly:

https://hugovk.github.io/top-pypi-packages/

Inspired by this, Vladimir Iglovikov has made a nice leaderboard showing the change from last month:

https://pypilb.vercel.app

mistersql, to random
@mistersql@mastodon.social avatar

should have a filter for project size. When the readme is longer than the code, it is a sign that maybe

  • it shouldn't be a library (vendorize those 10 lines of code)
  • it is an outline for an idea of a gist, not a library or app

I mean this is clever, but it is a long way from, say Moodle,

https://github.com/BrokenShell/MultiChoice/blob/master/MultiChoice.py

(I'm picking on pypi's search functions, not this dev. If I wanted a gist for a prompt like prompt toolkit, this would be perfect)

CodenameTim, to python
@CodenameTim@fosstodon.org avatar

Does someone have an idea how long the PyPI organization queue is?

ucodery, to python
@ucodery@fosstodon.org avatar

Very cool to see some of the hard work we’ve been doing at for packaging with Trusted Publishing being made available to everyone today

https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/

sethmlarson, to security
@sethmlarson@fosstodon.org avatar

I'm attending , reach out to me if you want to chat about of or 👋

davep, to python
@davep@fosstodon.org avatar

I’ve released PISpy v0.6.0; a tool for looking up details of packages in PyPI, all done in the : https://blog.davep.org/2024/04/17/pispy-0-6-0.html

Rob_Bos, to github
@Rob_Bos@mstdn.social avatar

Have you seen the first edition of the #OctoInsider newsletter we created @xebia? You can also read along online: https://pages.xebia.com/octoinsider. Stay in the know with all the #GitHub news regularly!

melroy,
@melroy@mastodon.melroy.org avatar

@Rob_Bos Great! naming-confusion is indeed a big issue and becoming more prominently present in the open source world, which is not good. I'm a package maintainer for various projects, and I notice that my projects also get cloned with malicious code. Too bad PyPi isn't handle those security issues fast enough IMO.

hugovk, to python
@hugovk@mastodon.social avatar

🥚🐰🛞🐍 Exciting!

I'm doing the first @pillow release using cibuildwheel + PyPI publish GitHub Action + Trusted Publishers!

It'll take just under three hours to build 68 wheels and an sdist, and then upload them automatically to @pypi 🤞

The matrix covers CPython 3.8-3.12, PyPy 3.9-3.10, manylinux, musllinux, macOS Intel + Apple Silicon, Windows 32-bit + 64-bit + ARM...

Follow along the Easter fun at https://github.com/python-pillow/Pillow/actions/runs/8506382482 !

#Python #Pillow #PythonPillow #PyPI #TrustedPublishers #cibuildwheel

sethmlarson, (edited ) to python
@sethmlarson@fosstodon.org avatar

xz/liblzma backdoor (CVE-2024-3094) is trending.

https://openwall.com/lists/oss-security/2024/03/29/4

bundles xz v5.2.5 and earlier which don't contain the backdoored binary files. is also not affected due to using Debian Bookworm, not Sid.

Querying PyPI packages and Python Dockerhub images doesn't show any xz 5.6.x binaries.

From what I've gathered from others, the backdoor appears to target sshd (SSH server) on glibc-based distros, so if you're using Ubuntu or Fedora check that you aren't affected.

dubbel, to python
@dubbel@mstdn.io avatar

Reported 15 malicious packages: asyncioo, asyyncio, asyincio, aasyncio, etc...

On install they decrypt Fernet encrypted code, which loads further code from https://funcaptcha[.]ru/paste2?package=asyncioo (replace the parameter with the package name).

I was blocked from accessing that code (am on mobile right now, so I don't have the means to investigate for real, Fernet decryption was already fun :abloblamp: ).

Anyone else able to access it?

linuxmagazine, to python
@linuxmagazine@fosstodon.org avatar

From today's Linux Update newsletter: Pete Metlcalfe shows you how to use your favorite #Python libraries on client-side web pages with #PyScript https://www.linux-magazine.com/Issues/2024/278/PyScript #OpenSource #JavaScript #PyPi #Pyodide

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • ngwrru68w68
  • tester
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • megavids
  • tacticalgear
  • osvaldo12
  • normalnudes
  • cubers
  • cisconetworking
  • everett
  • GTA5RPClips
  • ethstaker
  • Leos
  • provamag3
  • anitta
  • modclub
  • lostlight
  • All magazines
    •