Skip to content

Document PyPI security policy in FAQ and security page #7970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tiran opened this issue May 18, 2020 · 3 comments
Closed

Document PyPI security policy in FAQ and security page #7970

tiran opened this issue May 18, 2020 · 3 comments
Labels
documentation security Security-related issues and pull requests

Comments

@tiran
Copy link

tiran commented May 18, 2020
edited
Loading

What's the problem this feature will solve?

The Python Security Response Team (PSRT) is getting inquiries and security reports regarding malicious content on PyPI regularly. Every now and then we have to educate reporters that PyPI is not a secure and tightly controlled app store but an open package index.

The pages https://pypi.org/help/ and https://pypi.org/security/ don't explain PyPI's security concept and policy as well.

Describe the solution you'd like

It would be fantastic if the official FAQ and security page of PyPI could set expectations and explain PyPAs security concept.

Incomplete list of topics:

  • PyPI is an open index. Everybody (also bad people) can register a new package name and upload new packages.
  • Registration only confirms email addresses. There is no additional background check.
  • PyPI does not protect against malicious content or typo squatting. The team removes and blocks malicious content on a best-effort bases. Uploaded code is not (yet) scanned for malicious content.
  • Package installation can result in arbitrary code execution.
  • Mention how to protect against exploits with version pinning and a custom PyPI mirror.
  • ...

The security policy should be objective, honest, but not go into fearmongering.

Additional context
@tiran
Copy link
Author

tiran commented Mar 5, 2021

Hi,

PSRT got contacted by multiple reporters in the past months regarding "attacks" on PSRT, e.g. dependency confusion issue. Just today we got contacted regarding:

@di @ewdurbin @ejodlowska
Could you please escalate this issue and come up with an official text? Reporters typically expect an authoritative, official response within a couple of hours. The Python Security Response Team is not the right body to make official statements on behalf of the PSF.

@di
Copy link
Member

di commented Jul 30, 2021

We should provide a save harbor notice as well, something like https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor

@di di added the security Security-related issues and pull requests label Mar 20, 2023
@woodruffw
Copy link
Member

Triage: I think the security model goals here dovetail closely with #5718, so deduping in favor of continued tracking there!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation security Security-related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@di @tiran @woodruffw