Python Software Foundation: Improving security and integrity of Python package archives

The security of Python packages, the fundamental units of the ecosystem, is crucial. Packages are distributed using archive formats like ZIP and tar, which can be exploited due to their complex features. Vulnerabilities in these archive formats can lead to inconsistent interpretations of package contents by different tools. This inconsistency can result in issues like malware scanners producing conflicting results. Seth Larson, PSF Security Developer-in-Residence, published a white paper detailing 10 vulnerabilities in common archive format implementations for Python projects. The paper suggests that the Python Package Index (PyPI) can safeguard against insecure archive implementations by coordinating disclosures with other packaging tools. Future work aims to strengthen ZIP and tar implementations, including those in Python's standard library. The white paper also offers recommendations for reproducible archive builds within packaging ecosystems. Individuals can contribute to the PSF's security efforts by becoming a member, donating, or sponsoring the organization. The Security Developer-in-Residence position is sponsored by Alpha-Omega, and interested parties can contact sponsors@python.org to support similar initiatives.