Packaging/2019-12-11-Warehouse¶
Legacy Wiki Page
This page was migrated from the old MoinMoin-based wiki. Information may be outdated or no longer applicable. For current documentation, see python.org.
PyPI Project Kickoff - 2019 Q4 RFP Milestone 2 - Automated Detection of Malicious Uploads¶
Attendees¶
Ernest W. Durbin III - PSF
Cristina Muñoz - Independent Contractor
William Woodruff - Trail of Bits
Mike Myers - Trail of Bits
Introductions¶
Ernest: PSF Dir of Infra. Overseeing project, available for review, design discusisons, and project onboarding.
Cristina: Contractor - Proposed for Milestone 2. Will be working on implementation of Milestone 2
Trail of Bits: William - Security Engineer at ToB, will be working on design and review of Milestone 2 work. Mike - engineering practice manager, point of contact for administrative concerns.
Logistics and Communications¶
GitHub: https://github.com/pypa/warehouse - Code Review, Design discussion, and Project tracking
Slack: https://thepsf.slack.com for synchronous comms related to onboarding/development and higher throughput conversations.
William and Mike from ToB already present as single-channel guests, Need invitation email for Cristina.
Meetings: Scheduled as needed, or monthly.
Project Timeline and Availability¶
Known unavailability:
Ernest: Firm: December 24-25, January 1. Tentative: December 23, 26-27.
Mike: Dec 24 - Jan 1
William: Dec 16 - 20
Cristina: Generally around
“)
Next Steps¶
Project on-boarding: Will should be up to speed, Cristina can work with Ernest as needed.
Cristina: Share design proposal, after discussion: create GitHub Issue to capture and discuss design from proposal.
Ernest: Reference related issues to above and create Milestone: https://github.com/pypa/warehouse/milestones.
Trail of Bits: Interview point of contact: Ernest, https://python-security.readthedocs.io/packages.html#pypi-typo-squatting.
Initial Qs:
Survey of the history of packages removed from PyPI
Expected/desired incident response workflow
Tolerance for false positives/false negatives