PyPI Project Kickoff - 2019 Q4 RFP Milestone 2 - Automated Detection of Malicious Uploads
Attendees:
- - Ernest W. Durbin III - PSF - Cristina Muñoz - Contractor - William Woodruff - Trail of Bits - Mike Myers - Trail of Bits
Absent:
- - (RSVP Maybe) Paul Kehrer - Trail of Bits
Introductions:
Ernest: PSF Dir of Infra. Overseeing project, available for review, design discusisons, and project onboarding. Cristina: Contractor - Proposed for Milestone 2. Will be working on implementation of Milestone 2 Trail of Bits: William - Security Engineer at ToB, will be working on design and review of Milestone 2 work. Mike - Eng practice manager. May not be super "around".
Logistics and Communications:
GitHub: https://github.com/pypa/warehouse Slack: https://thepsf.slack.com William and Mike from ToB already present as single-channel guests, Need invitation email for Cristina. Meetings: Scheduled as needed, or monthly.
Project Timeline and Availability:
Known unavailibility:
- - Ernest: Firm: December 24-25, January 1. Tentative: December 23, 26-27. - Mike: Dec 24 - Jan 1 - William: Dec 16 - 20
- Cristina: Generally around
Next Steps:
Project onboarding: Will should be up to speed, Cristina can work with Ernest as needed. Cristina: Create GitHub Issue to capture and discuss design from proposal. Please send slack invite to hi@xmunoz.com Ernest: Reference related issues to above and create Milestone: https://github.com/pypa/warehouse/milestones. Trail of Bits: Interview point of contact: Ernest, https://python-security.readthedocs.io/packages.html#pypi-typo-squatting. Initial Qs: * Survey of the history of packages removed from PyPI * Expected/desired incident response workflow * Tolerance for false positives/false negatives