137 pointsby mikethemanover 1 year ago

5 comments

lyu07282over 1 year ago

Link to the report: <a href="https://github.com/trailofbits/publications/blob/master/reviews/2023-09-pypi-warehouse-securityreview.pdf">https://github.com/trailofbits/publications/blob/master/revi...</a><p>They seem to not have analysed client-side of PIP itself, but I suppose there isn't anything you could say that isn't already obvious to everyone.

评论 #38266780 未加载

mrbonnerover 1 year ago

My understanding reading the report is that the audit is for PyPI code and infrastructure itself and not the packages it hosts. Am I right?

评论 #38270691 未加载

thenerdheadover 1 year ago

Congrats! Thanks for trailblazing and being transparent to help other central registries follow.

the_common_manover 1 year ago

How much does an audit cost?

评论 #38267305 未加载

评论 #38267297 未加载

easylionover 1 year ago

Good to know. But how often are they going to do it ? Is it going to be an annual event from now on ?

评论 #38279813 未加载

PyPI has completed its first security audit

5 comments

PyPI has completed its first security audit

5 comments