I am have completed my python 3 application, and it is using multiple public modules from PyPi.
However, before I deploy it to run within my company's enterprise which will be handling credentials of our customers and accessing 3rd party APIs, I need to do due diligence that they are both secure and safe.
What steps must I perform:
By the way, the Python 3 application will be running within a Docker container.
Thank you
You'll have to audit the package (or get someone else to do that) to know if it's secure. No easy way around it. All pypi packages have md5 signature attached (link in parentheses after the file).
They are not safe. It would be easy to upload malicious code to PyPI. That's debatable.
PyPI's Malware-Scanning Approach In addition, the repository's scanning tools analyze a projects commits and contributors for suspicious changes that could suggest malicious contributions. The researchers built their data set using 168 known examples of malicious attacks on the PyPI repository.
pypi-simple 0.10. 0 pypi-simple is a client library for the Python Simple Repository API as specified in PEP 503 and updated by PEP 592, PEP 629, PEP 658, and PEP 691.
These are 3 separate questions, so:
You'll have to audit the package (or get someone else to do that) to know if it's secure. No easy way around it.
All pypi packages have md5 signature attached (link in parentheses after the file). Some of them also attach the pgp signature which shows up in the same place, but it's up to the author whether they're published or not. (https://pypi.python.org/pypi/rpc4django for example includes both md5 and pgp) Md5 verifies integrity. Pgp verifies integrity and origin, so it's a better choice when available.
Just as much as any other signature.
If you're worried about dependencies to that level, I think you should look at maintaining your internal pypi repository. It gives you better verification (just sign the packages yourself after initial download and only accept your signature). It gives you better reliability and speed (you can still build the software if pypi goes down). And it avoids issues with replaced / updated packages which you haven't audited/approved yet.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With