René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Implement PEP-708 - Extend the repository API to mitigate \"dependency confusion\" attacks","articleBody":"[PEP-708](https://peps.python.org/pep-0708/)\n\n\u003e \n\u003e Dependency confusion attacks, in which a malicious package is installed instead of the one the user expected, are an [increasingly common supply chain threat](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610). Most such attacks against Python dependencies, including the [recent PyTorch incident](https://pytorch.org/blog/compromised-nightly-dependency/), occur with multiple package repositories, where a dependency expected to come from one repository (e.g. a custom index) is installed from another (e.g. PyPI).\n\u003e \n\u003e To help address this problem, this PEP proposes extending the [Simple Repository API](https://packaging.python.org/en/latest/specifications/simple-repository-api/#simple-repository-api) to allow repository operators to indicate that a project found on their repository “tracks” a project on different repositories, and allows projects to extend their namespaces across multiple repositories.\n\u003e \n\u003e These features will allow installers to determine when a project being made available from a particular mix of repositories is expected and should be allowed, and when it is not and should halt the install with an error to protect the user.","author":{"url":"https://github.com/dralley","@type":"Person","name":"dralley"},"datePublished":"2025-10-31T14:38:48.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/998/pulp_python/issues/998"}