Open Source Summit Europe 2023

Both academic research and products in industry will scan software for malware. Occasionally, someone suggests that OSS package repositories run one of these tools every time a package gets published to stop malware before it starts. However, a look at the Python’s PyPI, which rolled out such a system in 2020, shows why this doesn’t work, and likely can’t given current approaches to malware detection. This talk is a case study of PyPI to identify requirements for automated malware scanning. Critically, the huge number of packages uploaded to PyPI each week (and the small, all-volunteer team that responds to malware reports) mean that even tiny false-positive rates that would awe malware researchers would create endless work for the PyPI team. There’s good news, however: an equilibrium has emerged, with third-party (human) researchers running their own scanners, then reporting true positives. And surprisingly, malware on these repositories doesn’t alarm the administrators compared with other supply chain threats. The moral: you can’t design solutions without listening to the needs of the open source maintainers who would use it. Anybody who works on package repositories or worries about downloading malware packages from these repositories will learn something from this talk.