Document PyPI security policy in FAQ and security page

[tiran]

What's the problem this feature will solve?

The Python Security Response Team (PSRT) is getting inquiries and security reports regarding malicious content on PyPI regularly. Every now and then we have to educate reporters that PyPI is not a secure and tightly controlled app store but an open package index.

The pages https://pypi.org/help/ and https://pypi.org/security/ don't explain PyPI's security concept and policy as well.

Describe the solution you'd like

It would be fantastic if the official FAQ and security page of PyPI could set expectations and explain PyPAs security concept.

Incomplete list of topics:

• PyPI is an open index. Everybody (also bad people) can register a new package name and upload new packages.
• Registration only confirms email addresses. There is no additional background check.
• PyPI does not protect against malicious content or typo squatting. The team removes and blocks malicious content on a best-effort bases. Uploaded code is not (yet) scanned for malicious content.
• Package installation can result in arbitrary code execution.
• Mention how to protect against exploits with version pinning and a custom PyPI mirror.
• ...

The security policy should be objective, honest, but not go into fearmongering.

Additional context

• https://www.ayrx.me/look-before-you-pip
• https://nakedsecurity.sophos.com/2017/09/19/pypi-python-repository-hit-by-typosquatting-sneak-attack/
• https://www.blog.pythonlibrary.org/2018/10/31/more-typo-squatting-malware-found-on-pypi/
• https://discuss.python.org/t/dependency-notation-including-the-index-url/5659

[tiran]

Hi,

PSRT got contacted by multiple reporters in the past months regarding "attacks" on PSRT, e.g. dependency confusion issue. Just today we got contacted regarding:

• https://www.theregister.com/2021/03/02/python_pypi_purges/
• https://blog.sonatype.com/pypi-and-npm-flooded-with-over-5000-dependency-confusion-copycats

@di @ewdurbin @ejodlowska Could you please escalate this issue and come up with an official text? Reporters typically expect an authoritative, official response within a couple of hours. The Python Security Response Team is not the right body to make official statements on behalf of the PSF.

[di]

We should provide a save harbor notice as well, something like https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor