Questions tagged [pip]
5 questions
12
votes
3 answers
Does python's pip provide cryptographic authentication and integrity validation?
Does python's pip package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps asking…
Michael Altfield
- 826
- 4
- 19
3
votes
2 answers
Is it possible to block non-PyPI requests during pip install?
In 2017 and 2018 there were these infamous stories about malicious packages being uploaded to the PyPI (Python Package Index) which tried to do all sorts of things (collecting and sending data, reverse shells etc) during installation as pip and…
alecxe
- 1,515
- 5
- 19
- 34
2
votes
1 answer
How can the validity and safety of a software library be checked?
So beyond looking at the source code for particular software library, is there a way to vet that it does not contain malicious code? As far as I know from my own research, services like pip, npm, and composer do not provide any assurances(Not that I…
Rehket
- 23
- 3
0
votes
1 answer
Is this python package safe? I wrongly executed it with admin privileges and would like to know what steps to take to ensure my computer/data is safe
Before anything, please excuse my clear confusion over what is probably a non-issue. Computer security is definitely not my expertise, so any and all help is appreciated.
I recently installed a Python package through pip that does not have many…
rare-quorum
- 3
- 1
0
votes
0 answers
How do you lock down PyPI access?
Another question (Is it possible to block non-PyPI requests during pip install?) asked about locking down non-PyPI pip installs for security reasons. This doesn't deal with the problem of malicious packages within PyPI itself. So, I would like to…
Compholio
- 101
- 1