upvote

points

by bognition1 days ago |
comments
upvoteby Shank1 days ago|
next
[-]
> Its breaking a bunch of my systems that are all launched with `uv run`

From a security standpoint, you would rather pull in a library that is compromised and run a credential stealer? It seems like this is the exact intended and best behavior.

reply
upvoteby tedivm1 days ago|
prev|
next
[-]
You should be using build artifacts, not relying on `uv run` to install packages on the fly. Besides the massive security risk, it also means that you're dependent on a bunch of external infrastructure every time you launch. PyPI going down should not bring down your systems.
reply
upvoteby zbentley1 days ago|
parent|
next
[-]
This is the right answer. Unfortunately, this is very rarely practiced.

More strangely (to me), this is often addressed by adding loads of fallible/partial caching (in e.g. CICD or deployment infrastructure) for package managers rather than building and publishing temporary/per-user/per-feature ephemeral packages for dev/testing to an internal registry. Since the latter's usually less complex and more reliable, it's odd that it's so rarely practiced.

reply
upvoteby lanstin1 days ago|
parent|
prev|
[-]
There are so many advantages to deployable artifacts, including audibility and fast roll-back. Also you can block so many risky endpoints from your compute outbound networks, which means even if you are compromised, it doesn't do the attacker any good if their C&C is not allow listed.
reply
upvoteby MeetingsBrowser1 days ago|
prev|
next
[-]
Are you sure you are pinned to a “known good” version?

No one initially knows how much is compromised

reply
upvoteby wasmitnetzen12 hours ago|
prev|
next
[-]
Take this as an argument to rethink your engineering decision to base your workflows entirely on the availability of an external dependency.
reply
upvoteby cpburns20091 days ago|
prev|
next
[-]
That's PyPI's behavior when they quarantine a package.
reply
upvoteby zbentley1 days ago|
prev|
next
[-]
That's a good thing (disruptive "firebreak" to shut down any potential sources of breach while info's still being gathered). The solve for this is artifacts/container images/whatnot, as other commenters pointed out.

That said, I'm sorry this is being downvoted: it's unhappily observing facts, not arguing for a different security response. I know that's toeing the rules line, but I think it's important to observe.

reply
upvoteby saidnooneever1 days ago|
prev|
[-]
known good versions and which are those exactly??????
reply