Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The DWD (Deutscher Wetterdienst), as Germany's meteorological service, publishes a myriad of meteorological observations and calculations as part of their Open Data program.
Bright Sky is an open-source project aiming to make some of the more popular data — in particular weather observations from the DWD station network and weather forecasts from the MOSMIX model — available in a free, simple JSON API.
You can use the free public Bright Sky instance!
Check out the infrastructure repo!
The parsing core for Bright Sky is maintained in a separate package named
dwdparse
, which has no dependencies
outside the standard library. If you find that's not quite serving your needs,
check out wetterdienst
.
Read on. :)
Starting from version 2.0, where we extracted the parsing core into a separate
package, Bright Sky is no longer
intended to be used as a Python library, but only as the service available at
brightsky.dev
.
Consequentially, we adjust our version numbers from the perspective of that
service and its users – i.e., we will increase the major version number only
when we introduce backwards-incompatible (or otherwise very major) changes to
the actual JSON API interface, e.g. by changing URLs or parameters. This means
that increases of the minor version number may introduce
backwards-incompatible changes to the internals of the brightsky
package,
including the database structure. If you use brightsky
as a Python library,
please version-pin to a minor version, e.g. by putting brightsky==2.0.*
in
your requirements.txt
.
Note: These instructions are aimed at running a Bright Sky instance for development and testing. Check out our infrastructure repository if you want to set up a production-level API instance.
Just run docker-compose up
and you should be good to go. This will set up a
PostgreSQL database (with persistent storage in .data
), run a Redis server,
and start the Bright Sky worker and webserver. The worker periodically polls
the DWD Open Data Server for updates, parses them, and stores them in the
database. The webserver will be listening to API requests on port 5000.
Bright Sky is a rather simple project consisting of four components:
The brightsky
worker, which leverages the logic contained in the
brightsky
Python package to retrieve weather records from the DWD server,
parse them, and store them in a database. It will periodically poll the DWD
servers for new data.
The brightsky
webserver (API), which serves as gate to our database and
processes all queries for weather records coming from the outside world.
A PostgreSQL database consisting of two relevant tables:
sources
contains information on the locations for which we hold weather
records, andweather
contains the history of actual meteorological measurements (or
forecasts) for these locations.The database structure can be set up by running the migrate
command, which
will simply apply all .sql
files found in the migrations
folder.
A Redis server, which is used as the backend of the worker's task queue.
Most of the tasks performed by the worker and webserver can also be performed
independently. Run docker-compose run --rm brightsky
to get a list of
available commands.
Constantly rebuilding the brightsky
container while working on the code can
become cumbersome, and the default setting of parsing records dating all the
way back to 2010 will make your development database unnecessarily large. You
can set up a more lightweight development environment as follows:
Create a virtual environment and install our dependencies:
python -m virtualenv .venv && source .venv/bin/activate && pip install -r requirements.txt && pip install -e .
Start a PostgreSQL container:
docker-compose run --rm -p 5432:5432 postgres
Start a Redis container:
docker-compose run --rm -p 6379:6379 redis
Point brightsky
to your containers, and configure a tighter date
threshold for parsing DWD data, by adding the following .env
file:
BRIGHTSKY_DATABASE_URL=postgres://postgres:pgpass@localhost
BRIGHTSKY_BENCHMARK_DATABASE_URL=postgres://postgres:pgpass@localhost/benchmark
BRIGHTSKY_REDIS_URL=redis://localhost
BRIGHTSKY_MIN_DATE=2020-01-01
You should now be able to directly run brightsky
commands via python -m brightsky
, and changes to the source code should be effective immediately.
Large parts of our test suite run against a real Postgres database. By default,
these tests will be skipped. To enable them, make sure the
BRIGHTSKY_TEST_DATABASE_URL
environment variable is set when calling tox
,
e.g. via:
BRIGHTSKY_TEST_DATABASE_URL=postgres://postgres:pgpass@localhost/brightsky_test tox
Beware that adding this environment variable to your .env
file will not work
as that file is not read by tox
. The database will be dropped and
recreated on every test run, so don't use your normal Bright Sky database. ;)
Bright Sky's development is boosted by the priceless guidance and support of the Open Knowledge Foundation's Prototype Fund program, and is generously funded by Germany's Federal Ministry of Education and Research. Obvious as it may be, it should be mentioned that none of this would be possible without the painstaking, never-ending effort of the Deutscher Wetterdienst.
FAQs
JSON API for DWD's open weather data.
We found that brightsky demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.