On 9/11/23 07:42, Andrei Verovski wrote:
> Hi, For Python pip is a primary repository installer, not RPM/DEB.

Yep,

   In therein lies the problem. pip can pull in any repo it thinks it needs
from anywhere. That has been an attack vector used to great effect within the
past year, e.g.

PyTorch ML framework compromised in supply chain attack
https://www.techrepublic.com/article/pytorch-ml-compromised/

Actors behind PyPI supply chain attack have been active ...
https://arstechnica.com/information-technology/2022/09/actors-behind-pypi-supply-chain-attack-have-been-active-since-late-2021/

Supply Chain Attack Detected in PyPI Library - Bitdefender
https://www.bitdefender.com/blog/hotforsecurity/supply-chain-attack-detected-in-pypi-library/

  ... and so on. That's one reason I really do not like python. There is
nothing but loose "trust me I'm a dev, go ahead 'import myfoo'" that governs
what code is pulled in by any python project.

   While we would all like to believe that all python devs are meticulous in
validating the security aspect of the code they pull in to accomplish task
'X', we know in the real-world it's usually a quick web-search for what does
'X' a hasty download and an addition of 'import libForX' to their project to
check if 'X' works and that's about it.

(now don't get me wrong, matplotlib is likely in a much better position than
any old run-of-the-mill package to have checks on where each package it relies
on is pulled from and it is more that likely 100% fine to pull it in with pip)

   Like I said, since these problems have come to light, more scrutiny is
being placed on the pip-PyPi setup -- but there is only so much manpower
available. It seems to be more in the "whack-a-mole" state than a
fully-hardened secure state.

--
David C. Rankin, J.D.,P.E.