The Python Package Index (PyPI) is home to over 200,000 Python projects and has over 400,000 users. Developed and maintained by the Python community, it is under copyright of the Python Software Foundation (PSF).
In 2018, the PSF announced that they had received a monetary gift from Facebook that was to go towards implementing security features in PyPI.
SEE ALSO: Python data visualization with Bokeh
Here is what has happened so far.
Automatic malware checks
Last month, Milestone 2 of the updates was completed. This means that PyPI now has a system for automatic malware checks on board.
Protecting AI Solutions From Attacks
Alexander Polyakov (Independent Researcher)
AI for Decision Makers
Uri Eliabayev (Machine & Deep Learning Israel)
Reinforcement Learning and Imitation Learning Workshop
Dr. Neda Navidi (AIR (AI Redefined))
This high-level diagram shows how it works:
Automatic malware checks. Source.
As seen in the diagram, there are three different ways the malware checks can be triggered: Either when a PyPI user uploads a new file, release or project, when a PyPI admin initiates an evaluation run, or on a schedule. Ultimately, the check should then lead to the removal of malicious packages, releases and files.
Future plans
PEP 458 was accepted in February 2020. The Python Enhancement Proposal calls for secure PyPI downloads with signed repository metadata and proposes how to integrate The Update Framework (TUF), a CNCF graduated project, with PyPI.
The work has therefore begun and should be completed within the following months. This will, according to the PSF, “enable clients like pip to ensure that they have downloaded valid files from PyPI and equip the PyPI administrators to better respond in event of a compromise.”
SEE ALSO: Python Software Foundation: Mozilla and Chan Zuckerberg Initiative are funding pip with $407,000
See more about the PyPI updates in the PSF blog post.
The post Python Package Index now has automatic malware checks on board appeared first on JAXenter.
Source : JAXenter
