Python Security Concerns and Package Management

The State of PyPI Security

Recent reports highlighted malicious libraries discovered on PyPI. These packages employed typosquatting or spoofed names of standard library modules to trick users.

• The malicious code was embedded in the setup.py execution files, allowing it to collect sensitive information like usernames and IP addresses.
• The Python Software Foundation (PSF) clarified that PyPI is a volunteer-run project without dedicated full-time staff, relying on a reactive system for security.
• Discussions are ongoing about implementing better verification for packages that shadow standard library names.

Evolution of PyPI and Warehouse

PyPI.org is finally transitioning to the new Warehouse platform, offering a more modern interface and improved security.

• The old API endpoints are being deprecated in favor of the Warehouse implementation.
• Future updates include support for Markdown in README files, significantly improving the authoring experience.

Developer Productivity and Tooling

RESTful Frameworks

"Bare-metal Python Web API for building very fast backends and microservices."

• Falcon: A high-performance, low-level framework perfect for microservices.
• Hug: Built on top of Falcon, Hug simplifies API creation and provides excellent built-in documentation and support for multiple interfaces (HTTP, CLI).

Testing Standardization

• Tox is a crucial tool for automating tests across different environments and versions of Python, serving as a frontend for runners like pytest.
• Flake8 plugins now help developers identify deprecated patterns when migrating from Python 2 to Python 3.

Community Corner

• PyGotham: An effort is underway to fund a speaking coach for first-time speakers to foster growth in the community.