Python Package Index (PYPI) registry maintainers have announced new features that allow package developers to archive projects as part of an effort to improve supply chain security.
Facundo Tuesca, a senior engineer of Trail of Bits, states:
Doing so will clearly show the developers that the Python library will not be actively maintained, and that future security corrections and product updates will not be expected.
Nevertheless, the archive and labeled projects will continue to be available in PYPI, and users can continue to install without any problems.
In another blog post in detail, Tuesca stated that Menteners are considering additional status of maintainer control to convey the project status to downstream consumers.
PYPI also recommends the package developer to release the final version before Archival by updating the project explanation, warning the user, and including the replacement as an exchange.
This development occurs shortly after PYPI develops the ability to quarantine the project, and the administrator marks the project as a potential suspicious thing, and other users can install it to prevent further harm.
In November 2024, the Pypi administrator found that a new update contained a malicious code designed to remove private keys via Telegram, and then isolated Python Library Aiocpa. 。
Since last August, about 140 projects have been quarantined, and have been removed from the registry.
“By having this brokerage stage, Pypi administrators can enhance the safety of the end user, and the PYPI administrators will enable further investigations and delete suspicion packages, so that they protect the end users more quickly. I will do it “
“Deleting projects from PYPI is a destructive action, so if you create a quarantine state, it can be restored if it is considered an incorrect positive report without destroying the history and metadata of the project. Masu.”
Source link
