oss-sec mailing list archives
Supply Chain Issues in PyPI
From: Stian Kristoffersen <wayphinder () gmail com>
Date: Thu, 21 Sep 2023 22:10:15 +0200
Here is a summary of some security research into the PyPI ecosystem: https://stiankri.substack.com/p/supply-chain-issues-in-pypi It includes: - A PyPI upload Denial of Service vulnerability. - Challenges with reproducibility in the PyPI ecosystem. - Distribution Confusion in PyPI: a new way to distribute malicious packages. Including how it affects Pip and Poetry. - Manifest Confusion in PyPI: how package managers and security scanning tools resolve dependencies in different ways. Best regards, Stian Kristoffersen
Current thread:
- Supply Chain Issues in PyPI Stian Kristoffersen (Sep 21)