and supply chain mitigation for apps What we (and npm and cargo and so on)...

@mistersql September 8, 2025

#python and #pypi supply chain mitigation for *apps*

What we (and npm and cargo and so on) need is pipx, except it runs that app in a docker container.

So I wrote a little script to generate a docker file, transferred the credentials for a secure python proxy to it, build and run the docker file.

The docker part was hard, but 10% of users, 1% of the time would be able to do it, but that wasn't the worst.

Self-replies

September 8, 2025

The private credential repo proxy was the hardest to configure. pip and uv really don't want to use anything other than pypi directly. Better to make sure no one uses a corporate proxy than to just trust pypi.org

malicious typo squats? in the news daily.

MITM? That is just life man, every organization is running a MITM against all the staff too see what they're up to. pip and uv have the wrong threat model. UX tricks to drive proxy use to 0 isn't improving security.

September 8, 2025

Features this needs
- auto discover if user has docker or podman
- auto discover credentials in context (machinewide pip.conf and translate to unix and move into the container)
- use local website or tkinter to handle user prompts because if only the 1% of 1% of users comfortable with cli use this, then it is pretty thin security. Heck even pipx has pretty low adoption.

September 8, 2025

And by proxy I mean like these, not HTTP proxies which don't have pypi security features

Artifactory
AWS CodeArtifact
Google Cloud Artifact Registry
GitHub Packages
GitLab Packages
Sonatype Nexus
Cloudsmith
Buildkite Package Registries