Python Bytes

#475 Haunted warehouses

Listen Later
Topics covered in this episode:
  • Lock the Ghost
  • Fence for Sandboxing
  • MALUS: Liberate Open Source
  • Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns
  • Extras
  • Joke
    • Watch on YouTube

    About the show

    Sponsored by us! Support our work through:

    • Our courses at Talk Python Training
    • The Complete pytest Course
    • **Patreon SupportersConnect with the hosts**
    • Michael: @[email protected] / @mkennedy.codes (bsky)
    • Brian: @[email protected] / @brianokken.bsky.social
    • Show: @[email protected] / @pythonbytes.fm (bsky)

      • Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

      Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

      Michael #1: Lock the Ghost

      • The five core takeaways:
        1. PyPI "removal" doesn't delete distribution files. When a package is removed from PyPI, it disappears from the index and project page, but the actual distribution files remain accessible if you have a direct URL to them.
        2. uv.lock uniquely preserves access to ghost packages. Because uv.lock stores direct URLs to distribution files rather than relying on the index API at install time, uv sync can successfully install packages that have already been removed, even with cache disabled. No other Python lock file implementation tested behaved this way.
        3. This creates a supply chain attack vector. An attacker could upload a malicious package, immediately remove it to dodge automated security scanning, and still have it installable via a uv.lock file, or combine this with the xz-style strategy of hiding malicious additions in large, auto-generated lock files that nobody reviews.
        4. Removed package names can be hijacked with version collisions. When an owner removes a package, the name can be reclaimed by someone else who can upload different distribution types under the same version number, as happened with "umap." Lock files help until you regenerate them, then you're exposed.
        5. Your dependency scanning needs to cover lock files, not just manifest files. Scanning only pyproject.toml or requirements.txt misses threats embedded in lock files, which is where the actual resolved URLs and hashes live.

          6. Brian #2: Fence for Sandboxing

          • Suggested by Martin Häcker
          • “Some coding platforms have since integrated built-in sandboxing (e.g., Claude Code) to restrict write access to directories and/or network connectivity. However, these safeguards are typically optional and not enabled by default.”
          • “JY Tan (on cc) has extracted the sandboxing logic from Claude Code and repackaged it into a standalone Go binary.”
          • Source code on GitHub: https://github.com/Use-Tusk/fence
          • Related:
            • Simon Willison lethal trifecta for AI agents article from June 2025
            • Claude Code Sandboxing

              • Michael #3: MALUS: Liberate Open Source

              • via Paul Bauer
              • The service will generate the specs of a library with one AI and build the newly licensed library using the specs with another AI circumventing the licensing and copyright rules.
              • AI that has not been trained on open source reads the docs and API signature, creates a spec. Another AI processes that spec into working software.
              • Is it a real site? Are they accepting real money, or are they just trying to cause a stir around copyright?

                • Brian #4: Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns

                • Matthias Schoettle
                • Avoid things like this: hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far

                  • Extras

                  Brian:

                  • GitHub is asking to spy on us, that’s nice

                    • Michael:

                    • Michael’s new SaaS for podcasters: InterviewCue
                    • DigitalOcean’s Spaces cold storage for infrequently accessed data
                    • Minor issue about my fire and forget post, was a latent bug?
                    • Fire and Forget at Textual follow up article

                      • Joke: Can you?

                      ...more
                      View all episodesView all episodes
                      Download on the App Store
                      Python BytesBy Michael Kennedy and Brian Okken
                      • 4.7
                      • 4.7
                      • 4.7
                      • 4.7
                      • 4.7

                      4.7

                      212 ratings

                      More shows like Python Bytes

                      View all
                      The Changelog: Software Development, Open Source by Changelog Media

                      The Changelog: Software Development, Open Source

                      288 Listeners

                      The a16z Show by Andreessen Horowitz

                      The a16z Show

                      1,105 Listeners

                      Daily Tech News Show by Tom Merritt

                      Daily Tech News Show

                      1,391 Listeners

                      Software Engineering Daily by Software Engineering Daily

                      Software Engineering Daily

                      626 Listeners

                      Talk Python To Me by Michael Kennedy

                      Talk Python To Me

                      583 Listeners

                      Super Data Science: ML & AI Podcast with Jon Krohn by Jon Krohn

                      Super Data Science: ML & AI Podcast with Jon Krohn

                      306 Listeners

                      NVIDIA AI Podcast by NVIDIA

                      NVIDIA AI Podcast

                      343 Listeners

                      Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

                      Syntax - Tasty Web Development Treats

                      985 Listeners

                      Tech Brew Ride Home by Morning Brew

                      Tech Brew Ride Home

                      964 Listeners

                      Practical AI by Practical AI LLC

                      Practical AI

                      212 Listeners

                      The Real Python Podcast by Real Python

                      The Real Python Podcast

                      140 Listeners

                      No Priors: Artificial Intelligence | Technology | Startups by Conviction

                      No Priors: Artificial Intelligence | Technology | Startups

                      150 Listeners

                      Latent Space: The AI Engineer Podcast by Latent.Space

                      Latent Space: The AI Engineer Podcast

                      101 Listeners

                      This Day in AI Podcast by Michael Sharkey, Chris Sharkey

                      This Day in AI Podcast

                      228 Listeners

                      The AI Daily Brief: Artificial Intelligence News and Analysis by Nathaniel Whittemore

                      The AI Daily Brief: Artificial Intelligence News and Analysis

                      688 Listeners