|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2019-12-11 23:32:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
[$] Working toward securing PyPI downloads
An effort to protect package downloads from the Python
Package Index (PyPI) has resulted in a Python Enhancement Proposal
(PEP) and, perhaps belatedly, some discussion in the wider community. The
basic idea is to use The
Update Framework (TUF) to protect PyPI users from some malicious
actors who are aiming to interfere with the installation and update of
Python modules. But the name of the PEP and its wording, coupled with some recent typosquatting problems on PyPI, caused
some confusion along the way. There are some competing interests and
different cultures coming together over this PEP; the process has not run as
smoothly as anyone might want, though that seems to be resolving itself at
this point.
An effort to protect package downloads from the Python
Package Index (PyPI) has resulted in a Python Enhancement Proposal
(PEP) and, perhaps belatedly, some discussion in the wider community. The
basic idea is to use The
Update Framework (TUF) to protect PyPI users from some malicious
actors who are aiming to interfere with the installation and update of
Python modules. But the name of the PEP and its wording, coupled with some recent typosquatting problems on PyPI, caused
some confusion along the way. There are some competing interests and
different cultures coming together over this PEP; the process has not run as
smoothly as anyone might want, though that seems to be resolving itself at
this point.
