Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to restrict package dependency domains (supply chain attack) #12623

Open
1 task done
JPHutchins opened this issue Apr 14, 2024 · 0 comments
Open
1 task done

Add option to restrict package dependency domains (supply chain attack) #12623

JPHutchins opened this issue Apr 14, 2024 · 0 comments
Labels
S: needs triage Issues/PRs that need to be triaged type: feature request Request for a new feature

Comments

@JPHutchins
Copy link

What's the problem this feature will solve?

Prevent local and upstream supply chain attacks that deliver compromised packages via a non-PyPI domain.

Describe the solution you'd like

Add a trusted-domains config option with reasonable defaults, like pypi.org, files.pythonhosted.org, etc.

Alternative Solutions

Users could setup firewall rules for pip to block corrupt dependency paths.

Additional context

170,000 Python users were impacted in this attack: https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/

I'm hopeful that we can mitigate such an attack!

Code of Conduct
@JPHutchins JPHutchins added S: needs triage Issues/PRs that need to be triaged type: feature request Request for a new feature labels Apr 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
S: needs triage Issues/PRs that need to be triaged type: feature request Request for a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JPHutchins