Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Readme
Encryption tool for python files and packages.
$ private [--key <key>] [--output <directory>] [-z] [--predicate <expression>] file.py [<path>...]
$ private --output out example-0.0-py2-none-any.whl
$ pip install out/example-0.0-py2-none-any.whl
$ export PRIVATE_KEY=$(cat out/key.txt)
# Use installed package as usual
The key must be hexadecimal string of length 32. The file type is recognized by extension, Currently only .py and .whl files are supported.
It is possible to encrypt source distributions (.tar.gz files), but private will first build a wheel and then convert it, so the final output is alway a wheel.
The is an option to "tag" the source code with decorators. Then, It is possible to pass expression to the private script that specifies which tags to remove completely from the source.
For example:
# example.py
import private
@private.tag("a", "b")
def foo():
return "foo"
@private.tag("b", "c")
def bar():
return "bar"
@private.tag("z")
def baz():
return "baz"
Then, code parts to remove can be specified with regular python expression. To remove only the "bar" function, the predicate is simply: "c". To remove "foo" and "baz" the predicate is "a or z", or "not c".
The private script is called like this:
$ private --predicate "b and not a or z" example.py
will create encrypted file that contains only the function "foo".
It is possible to pack multiple packages into one executable zip file. For example:
$ mkdir test
$ cd test
$ pip download poetry
$ private -z --output out *
$ cd out
$ export PRIVATE_KEY=$(cat key.txt)
$ python packed.zip poetry
The result zip file can be directly executed and can call every console_script
in the packed packages.
Currently, the -z flag can be used only if the given paths are wheels or source distributions.
WARNING: the load time can be very slow with many pacakges.
The package doesn't have it's own test suit. It is tested in python 2 with the compiledb package as a wheel, and in python 3 with the full test suit of the construct package, on the original repository.
Private is not fully tested and is a hobby project in alpha stage, Use it at your own risk.
FAQs
Python modules and distribution encryption tool
We found that private demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.