PyPI Project Kickoff - 2019 Q4 RFP Milestone 2 - Automated Detection of Malicious Uploads
Attendees
- Ernest W. Durbin III - PSF
- Cristina Muñoz - Independent Contractor
- William Woodruff - Trail of Bits
- Mike Myers - Trail of Bits
Introductions
- Ernest: PSF Dir of Infra. Overseeing project, available for review, design discusisons, and project onboarding.
- Cristina: Contractor - Proposed for Milestone 2. Will be working on implementation of Milestone 2
- Trail of Bits: William - Security Engineer at ToB, will be working on design and review of Milestone 2 work. Mike - engineering practice manager, point of contact for administrative concerns.
Logistics and Communications
GitHub: https://github.com/pypa/warehouse - Code Review, Design discussion, and Project tracking
Slack: https://thepsf.slack.com for synchronous comms related to onboarding/development and higher throughput conversations.
- William and Mike from ToB already present as single-channel guests, Need invitation email for Cristina.
- Meetings: Scheduled as needed, or monthly.
Project Timeline and Availability
Known unavailability:
- Ernest: Firm: December 24-25, January 1. Tentative: December 23, 26-27.
- Mike: Dec 24 - Jan 1
- William: Dec 16 - 20
Cristina: Generally around
Next Steps
- Project on-boarding: Will should be up to speed, Cristina can work with Ernest as needed.
Cristina: Share design proposal, after discussion: create GitHub Issue to capture and discuss design from proposal.
Ernest: Reference related issues to above and create Milestone: https://github.com/pypa/warehouse/milestones.
Trail of Bits: Interview point of contact: Ernest, https://python-security.readthedocs.io/packages.html#pypi-typo-squatting.
- Initial Qs:
- Survey of the history of packages removed from PyPI
- Expected/desired incident response workflow
- Tolerance for false positives/false negatives
- Initial Qs: