Contents

Security when installing Python packages

What to keep in mind when installing packages with pip

You should always think about security. Especially when you’re writing code. And twice as much when you use other people’s code. It saves a lot of time and effort. But it can also lead to problems, especially if you don’t at least use common sense.

Modules

When programming, you can save commonly used classes, objects, and functions in modules. This is the official name for files with the extension .py. Conventionally, a module can be distinguished from an ordinary Python program by the fact that the program is designed to run and execute, while the module is designed to store frequently used constructs and import them into other programs.

Packages

A Package in Python is a directory containing other directories and modules, as well as special files. Packages are used to form a namespace, which allows different modules, united as a rule by a common theme, to be used.

Repository

The best known repository for such packages is the PyPI or Python Package Index. You can find and install packages on almost any topic in PyPI. In 2022, there were over 370,000 different packages contained there.

I was wondering what security measures other developers are taking to make sure they aren’t downloading anything malicious from PyPI. After all, anyone can upload their package there, and so far there are no security checks or preventive measures taken by PyPi itself.

Tips

Some helpful tips on this topic:

  1. If you can understand it, take a look at the source code of a package before you install it.
  2. Only install software from reputable developers. On the package page, at least look at the GitHub stats - the number of stars and forks. The more there are, the more people using the package and the less likely to get evil code.
  3. Read Python Security doc about packages and PyPi.
  4. Pay attention to the Safety package. It checks your installed packages for known vulnerabilities.
  5. Use the Insecure Python Packages list to identify vulnerabilities in installed packages.

Good news

In late December 2019, the Python Software Foundation announced that they have received a grant from Facebook and will begin work on adding “advanced security features” to the Python Package Index.

Among the features they plan to add will be verifiable cryptographic artifact signing and automatic detection of malicious downloads.

Let your code and your modules be always safe! :)