Supply Chain Issues in PyPI

[Stian Kristoffersen <wayphinder () gmail com>]

Here is a summary of some security research into the PyPI ecosystem:

https://stiankri.substack.com/p/supply-chain-issues-in-pypi

It includes:

 - A PyPI upload Denial of Service vulnerability.

 - Challenges with reproducibility in the PyPI ecosystem.

 - Distribution Confusion in PyPI: a new way to distribute malicious
packages. Including how it affects Pip and Poetry.

 - Manifest Confusion in PyPI: how package managers and security
scanning tools resolve dependencies in different ways.

Best regards,
Stian Kristoffersen