commit: e4d228eebf719d0d60b37e3a188269885477aac2
parent c7503f71bdd2a8fec6c0099bd5540c647c7f19a7
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Mon, 8 Jul 2024 17:38:38 +0200
bookmarks: https://zaitcev.livejournal.com/263602.html - PyPI is not trustworthy
Diffstat:
1 file changed, 1 insertion(+), 0 deletions(-)
diff --git a/bookmarks.xbel b/bookmarks.xbel
@@ -96,6 +96,7 @@
<bookmark added="2023-08-01T12:18:25+02:00" href="https://tails.net/contribute/design"><title>Tails Design</title></bookmark>
<bookmark added="2020-09-22T03:14:53+02:00" href="https://www.viva64.com/en/b/0558/"><title>Why it is important to check what the malloc function returned</title></bookmark>
<!-- or rather insecurity… -->
+ <bookmark added="2024-07-08T17:36:44+02:00" href="https://zaitcev.livejournal.com/263602.html"><title>PyPI is not trustworthy: zaitcev</title></bookmark>
<bookmark added="2023-05-06T15:40:25+02:00" href="https://moyix.blogspot.com/2022/09/someones-been-messing-with-my-subnormals.html">
<title>Someone’s Been Messing With My Subnormals!</title>
<desc>"TL;DR: After noticing an annoying warning, I went on an absurd yak shave, and discovered that because of a tiny handful of Python packages built with an appealing-sounding but dangerous compiler option, more than 2,500 Python packages—some with more than a million downloads per month—could end up causing any program that uses them to compute incorrect numerical results." But also "Unbeknownst to me, even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code (see pip issues 7325 and 1884 for more details)!"</desc>
