If you're at #PyConUS today and wanna chat, I'll be at a sponsor presentation this afternoon https://us.pycon.org/2025/schedule/presentation/153/
Or at @ThePSF booth in the Expo Hall during the Opening Reception
Recherches récentes
Options de recherche
#pypi
2 messages2 participants0 message aujourd’hui
There are currently 636,000 #python projects on #pypi
By the time you read this there will be several more, to the tune of one every few minutes
#opensource tools, algorithms, frameworks for #datascience, #machinelearning, #webdev and much, much more, in principle accessible to everybody
What does this mean, where will this lead?
Your guess as good as mine. But this is emphatically *not* the world we used to live-in, until recently
Remember this when you are gloomy
We're proud to announce that @gnuhealth is now an organization in the Python Package Index (#PyPI).
The organization makes it easy to find and explore our projects and packages.
savannah.gnu.orgGNU Health - Dépêches [Savannah]Savannah est un point central pour le développement, la distribution et
la maintenance de logiciels libres GNU et non GNU.
We're proud to announce that #GNUHealth is now an organization in the Python Package Index (#PyPi). It's very easy to navigate our projects on pypi. 
Malicious #PyPI packages abuse #Gmail, #websockets to hijack systems
While preparing my talk, I found some (small) accessibility issues in pypi warehouse project but seems like only maintainers can raise issues and I don't know what to do now, other type of issues doesn't seems to fit.
Is there someone here I can talk to about that and eventually help for the fix?
I'm trying to publish a #Python package (chirun) on #PyPI.
It depends on a fork of another package that has some bug fixes that I'm waiting to be merged into the original package.
PyPI doesn't like me specifying a git repo address as a dependency.
Do I need to publish the fork on PyPI in order to use it as a dependency in chirun?
A répondu dans un fil de discussion
"Users of PyPI and package managers in general should be checking that the package they are installing is an existing well-known package, that there are no typos in the name, and that the content of the package has been reviewed before installation."
#MikeFiedler, Safety & Security Engineer, PyPI, 2025
https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
Or, people could take responsibility for what they host on their code and package repositories, and stop hosting and shipping malware. How about that?
The Register · LLMs can't stop making up software dependencies and sabotaging everything
The GREATEST, most TREMENDOUS Python package that makes importing great again!
https://pypi.org/project/tariff/
#Python #USPOL #PYPI
pypi.orgClient Challenge
developers.slashdot.orgPython's PyPI Finally Gets Closer to Adding 'Organization Accounts' and SBOMs - SlashdotBack in 2023 Python's infrastructure director called it "the first step in our plan to build financial support and long-term sustainability of PyPI" while giving users "one of our most requested features: organization accounts." (That is, "self-managed teams with their own exclusive branded web addr...
I'm not responding to anything that has happened yet today, but given the past couple weeks, I'm thinking I should just add pipx upgrade yt-dlp to a cronjob on all my computers now. XD
(Like, every third day or so, to be kind to the #PyPI servers ^__^)
#Youtube's war against its own users is getting nuts.
Some days I'm so tired of upstream developers being so adverse to downstream maintainers. Like, it's not just the ungratefulness — it's like completely neglecting the tons of work we're putting into keeping things working. And they literally rely on our work (unless they're running their own distribution).
Yeah, sure, maybe you don't use #Gentoo. Maybe you use #Debian, or #Fedora, or #Arch, or their derivates, or some other independent distribution. Does that mean that Gentoo work is insignificant? What if the developers of your distribution are facing exactly the same problem? And even if they weren't, does that mean that upstreams using Gentoo should become adverse to the distribution you're using?
Yeah, sure, maybe you don't agree with one of our principles or another. Maybe you even are a Gentoo user, yet disagree with how Gentoo works. Well, even so, you're not the only Gentoo user out there. We're doing the best we can with what we have, and we're trying to make sure things work best for everyone in Gentoo. I'm not saying we're always right, but you really should have a good reason to despise all the work we've been doing.
Yeah, sure, maybe you don't use distribution #Python packaging at all, maybe you despise it entirely and wish it would all be burned down to the ground in favor of everyone using wheels from #PyPI, or whatever. But guess what — there are people who actually find it advantageous, and benefit from it, and want to use it. And there are projects that simply don't work in that ecosystem at all, and need a better package manager. And we're here, for them.
So, yeah, sure. Maybe you don't use the distribution I'm working on, nor any projects I'm working on. Maybe you disagree with me on every single principle, and don't see any purpose in any of my work. Maybe you will never use any of it. Maybe your friends or your family, or anyone you know or care about will even benefit from any of it. Still, there's a lot of people who do and who need this, and who are you to give them the digitus impudicus?
️
#Hackers are poisoning #PyPI again. Devs, check your dependencies NOW!
Cybercriminals planted 20 fake Python packages on PyPI—stealing cloud access tokens from AWS, Alibaba Cloud, and Tencent Cloud. These packages, disguised as "time" utilities, racked up 14,100+ downloads before removal.
One even snuck into a GitHub project with 519 stars and 42 forks.
https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html
Репозиторій #PyPI запроваджує нові умови обслуговування для облікових записів. Відтепер з компаній, які розміщують свої проекти на PyPI, стягується плата в якості комісії та «за послуги підтримки».
Представник #Python Software Foundation І Дурбін пояснив, що нові умови для платних облікових записів поки перебувають в бета-версії.
Після завершення бета-тестування вартість платного акаунту PyPi становитиме $5 за користувача на місяць.
https://highload.tech/uk/najbilshyj-katalog-python-paketiv-pypi-zaprovadzhuye-platni-poslugy/
Highload.tech · Найбільший каталог Python-пакетів PyPI запроваджує платні послуги
BleepingComputerEthereum private key stealer on PyPI downloaded over 1,000 timesA malicious Python Package Index (PyPI) package named "set-utils" has been stealing Ethereum private keys through intercepted wallet creation functions and exfiltrating them via the Polygon blockchain.
Швейцарський розробник Леннарт Фінке створив проект інтерактивної мапи репозиторія #Python-пакетів #PyPI, яка складається з більш ніж 100 тисяч пакетів та їх залежностей.
https://highload.tech/uk/rozrobnyk-stvoryv-interaktyvnu-mapu-python-paketiv-pypi/
Highload.tech · Розробник створив інтерактивну мапу Python-пакетів PyPI