PyPI new user and new project registrations temporarily suspended

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Scout Monitoring - Free Django app performance insights with Scout Monitoring
Get Scout setup in minutes, and let us sweat the small stuff. A couple lines in settings.py is all you need to start monitoring your apps. Sign up for our free tier today.
www.scoutapm.com
featured
InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
  • warehouse

    The Python Package Index

    there are no plans to limit trusted publishers. in fact there is another in the works: https://github.com/pypi/warehouse/issues/13551

  • Scout Monitoring

    Free Django app performance insights with Scout Monitoring. Get Scout setup in minutes, and let us sweat the small stuff. A couple lines in settings.py is all you need to start monitoring your apps. Sign up for our free tier today.

    Scout Monitoring logo
  • postgres

    Docker Official Image packaging for Postgres (by docker-library)

    Tragedy of the commons - only need a few actors to ruin it all for us. Almost all distributors face this problem, from Docker Hub to PyPI. This also reminded me of official Postgres Docker image running a cryptominer in the background [1]

    [1] - https://github.com/docker-library/postgres/issues/770

  • guarddog

    :snake: :mag: GuardDog is a CLI tool to Identify malicious PyPI and npm packages

    I've been very cautious the last couple of years due to these bad actors when looking at packages that might suit my needs. If there is no online presence of the source code (git anything, zips/gzs, etc), multiple packages submitted in a short time frame, or a greater than normal amount, an/or a derivation/plugin of a popular package it's usually a no-go.

    For those that I do possibly trust, I then download the package (pip download) and review it. Doing a quick regex for URLs or exec() calls helps, but I probably should use something like guarddog (https://github.com/DataDog/guarddog)

  • gh-action-pypi-publish

    The blessed :octocat: GitHub Action, for publishing your :package: distribution files to PyPI: https://github.com/marketplace/actions/pypi-publish

    > Recently I've seen someone on Reddit trying to automate the creation of PyPI projects through GitHub Actions. The person was complaining that the first deployment couldn't use an API key for that project since it didn't exist. So I'm not surprised some people are trying to do the same for malicious purposes.

    Sorry for the tangent, but: you can do this now! If you use trusted publishing, you can register a "pending publisher" for a project that doesn't exist yet. When the trusted publisher (like GitHub Actions) is used, it'll create the project[1].

    All of this is supported transparently by the official publishing action for GitHub Actions[2].

    [1]: https://docs.pypi.org/trusted-publishers/creating-a-project-...

    [2]: https://github.com/pypa/gh-action-pypi-publish

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • 451 PyPI packages install Chrome extensions to steal crypto

    1 project | /r/CryptoCurrency | 14 Feb 2023
  • Finding malicious PyPI packages through static code analysis: Meet GuardDog

    1 project | /r/blueteamsec | 17 Nov 2022
  • GitHub Release Action for the Python Package Index

    4 projects | dev.to | 8 Jun 2024
  • The ultimate guide to creating a secure Python package

    4 projects | dev.to | 8 May 2024
  • Smooth Packaging: Flowing from Source to PyPi with GitLab Pipelines

    8 projects | dev.to | 18 Jan 2024