On 2023-01-10 01:07:45 David C. Rankin wrote:
|All, | | I'm not sure how openSUSE looks at packages or libraries obtained from |PyPi, but I've followed a couple of fairly shocking stories in the past | two weeks alone related to python malware distributed via packages | obtained from PyPi. The Register summarizes in: | |https://www.theregister.com/2023/01/09/pypi_aws_malware_key/?utm_source=da |ily&utm_medium=newsletter&utm_content=article | |with PyTorch story on Jan 5: | |https://www.theregister.com/2023/01/04/pypi_pytorch_dependency_attack/?utm |_source=daily&utm_medium=newsletter&utm_content=top-article | | I don't do a lot with python, other than keep up with it and marvel at | how the includes and libraries have grown like weeds in a vacant lot for | Python3. I know enough to know that pulling libraries via PyPi is an | often used and convenient way to handle dependencies. That raises the | question - is there anything specific, or any tool openSUSE has looked at | that may help prevent pulling in bad dependencies that are infected? | | (other than discourage this manner of obtaining python code?)
Unfortunately, because of openSUSE's conservative way of providing mostly back-level packages, one often has to obtain Python support components from outside their repositories, and it seems that even Pacman can't keep up with the Python community's profluent activity. Leslie -- Platform: Linux Distribution: openSUSE Leap 15.4 x86_64