Improve our security practices, in particular around binary files #16371
Comments
|
There are a lot of articles about the "recent attack" but here is one: https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ |
|
Maybe some of these could be assisted by NumFOCUS now that they have a Security Committee? 🤔 |
@pllim this been shared with the team 👍 (I am on the committee). This also relates to my proposal to make a SPEC around supply chain https://discuss.scientific-python.org/t/spec-8-supply-chain-security/1163 What I am trying to do with the SPEC is to get projects to do exactly what you are doing now: think about such issues and propose some mitigations. |
|
Just wanna cross-link these issues here for future reference: |
What is the problem this feature will solve?
Recent malicious supply chain attacks have seen binary files slipped into a package (as test files in that case) that served as an attack vector. Could this happen to astropy? How do we prevent it?
Describe the desired outcome
Not clear. This issue is to collect ideas how to address the problem, for example:
Additional context
Automated tools for some security checks exist, e.g.
Infrastructure of security team should run those, see what the results are, fix what’s easy to fix and write down examples where general checks do not apply to astropy (and thus give bad marks).
Goal would be to run those checks in CI for people to look at and decide themselves how useful it is.
The text was updated successfully, but these errors were encountered: