Episode #44: pip install malicious-code

Published Wed, Sep 20, 2017, recorded Tues, Sep 19, 2017.

This episode is brought to you by Datadog: pythonbytes.fm/datadog

Michael #1: Ten Malicious Libraries Found on PyPI

  • Code packages available in PyPI contained modified installation scripts.
  • Vulnerabilities were introduced into the setup.py execution of packages for approximately 20 packages on PyPI
  • Package names that closely resembled those used for packages found in the standard Python library (e.g. urlib vs urllib)
  • The packages contained the exact same code as the upstream libraries except for an installation script.
  • Officials with the Slovak authority said they recently notified PyPI administrators of the activity, and all identified packages were taken down immediately. Removal of the infected libraries, however, does nothing to purge them from servers that installed them.
  • From PSF: Unlike some language package management systems, PyPI does not have any full time staff devoted to it. It is a volunteer run project with only two active administrators. As such, it doesn't currently have resources for some of the proposed solutions such as actively monitoring or approving every new project published to PyPI. Historically and by necessity we've relied on a reactive strategy of taking down potentially malicious projects as we've become aware of them.
  • Comments
  • related:

Brian #2: PyPI migration to Warehouse is in progress

Brian #3: Live coding in a presentation

Michael #4: Notable REST / Web Frameworks

  • Falcon: https://falconframework.org/

    • Unburdening APIs for over 4.70 x 10-2 centuries. (4.7 years)
    • Falcon is a bare-metal Python web API framework for building very fast app backends and microservices.
    • Complementary: Falcon complements more general Python web frameworks by providing bare-metal performance and flexibility wherever you need it.
    • Compatible: Thanks to WSGI, Falcon runs on a large variety of web servers and platforms. Falcon works great with CPython 2.6, 2.7, and 3.3+. Try PyPy for an extra speed boost.
  • Hug: http://hug.rest

    • Drastically simplify API development over multiple interfaces.
    • With hug, design and develop your API once, then expose it however your clients need to consume it. Be it locally, over HTTP, or through the command line.
    • Built-in documentation

Brian #5: tox

  • “The name of the tox automation project derives from "testing out of the box". It aims to "automate and standardize testing in Python". Conceptually it is one level above pytest and serves as a command line frontend for running tests and automate all kinds of tasks around the project. It also acts as a frontend for Continuous Integration Systems to unify what you do locally and what happens in e.g. Jenkins or Travis CI.” - Oliver Bestwalter
  • a small tox.ini file:
    [tox]
    envlist = py27,py35, py36
    [testenv]
    deps=pytest 
    commands=pytest

Michael #6: flake8-tidy-imports deprecated imports

  • You can declare {python2to3} as a banned-module import, and it will check against a long list of import moves and removals between python 2 and python 3, suggesting relevant replacements if available.
  • I meticulously compiled this list by reading release notes from Python 3.0-3.6 as well as testing in a large legacy python codebase, but I presumably missed a few.
  • Example:
    flake8 file.py
    file.py:1:1: I201 Banned import 'mock' used - use unittest.mock instead.

Michael #7 (bonus!): Help Me Offer Coaching to First-Time PyGotham Speakers

  • Via A. Jesse Jiru Davis
  • I want to raise $1200 for public-speaking coaching for first-time speakers at PyGotham, the New York City Python conference. Will you chip in?
  • Jesse is a PyGotham conference organizer, but I’m launching this fundraiser independently of PyGotham.
  • As of September 19, I have raised my goal. Thanks to everyone who donated!

    Our news

Michael:

Brian:


Want to go deeper? Check our projects