Relative “Dependency Cooldowns” in pip v26.0 with crontab
WARNING: Most of this blog post is a hack, everyone should probably just wait for relative dependency cooldowns to come to a future version of pip.
pip v26.0 added support for the --uploaded-prior-to option. This new option enables implementing “dependency cooldowns”, a technique described by William Woodruff, that provides simple but effective protections for the relatively short attack-window time of malware published to public software repositories. This brings the reaction time to malware back within the realm of humans, who sometimes need to execute manual triage processes to take down malware from PyPI.
Read more: https://sethmlarson.dev/pip-relative-dependency-cooling-with-crontab
Don't miss what's next. Subscribe to sethmlarson.dev:
Share this email:
Add a comment: