I am facing Security blocking PyPi.org how to fix it

hannan011 · January 10, 2023, 3:41pm

It was suggested that I ask this here, and if I’m asking it in the incorrect area, I apologise in advance.

Worst issue The past two weeks, I encountered. When downloading modules using pip at work, I started experiencing problems.
There were issues verifying the SSL certificate for HTTPSConnectionPool(host=‘pypi.org’, port=443), and I would receive a succession of WARNING messages indicating that this had occurred.

After some time, I learned that the security director at this company had blocked pypi on the Umbrella (Cisco’s OpenDNS) because the site had "29 malwared dangerous modules". That was from last fall, as far as I can tell, and all those modules have been taken out.

What can I do to rectify this, I wonder?
Waiting for reply
Thanks:

sinoroc · January 10, 2023, 4:29pm

Probably related:

How to handle Security blocking PyPi.org

kgraham · January 10, 2023, 5:05pm

That’s my original post.
Thanks!

barry-scott · January 10, 2023, 7:49pm

At work we get the source of the packages, review the code, and then build it in house.
We find the upstream repos that the PyPI package is built from and download from there.
It is not unknown for the code in the wheel to not match upstream releases.
Also knowing the upstream repos makes it possible contribute fixes you need back as PRs.

That is a process that your security people should be able to embrace.

Topic		Replies	Views
How to handle Security blocking PyPi.org Packaging	35	6782	August 29, 2023
Proposing a community maintained database of PyPI package vulnerabilities Packaging	22	6706	June 14, 2021
RFC: improving pip security with package signing (PEP-458) Packaging	3	922	January 14, 2021
Pypi.org recently changed? Packaging help	14	6149	May 7, 2021
PEP 458: Secure PyPI downloads with package signing PEPs	134	19018	November 10, 2022

I am facing Security blocking PyPi.org how to fix it

Related Topics