As developers, we use open source libraries all the time to perform critical functions in our code, often searching for libraries in Google and installing from package registries like PyPI and npm. Because of this, open source packages are particularly vulnerable to malware attacks.

In this session we look at the web of trust we assume when we install a third party PyPI package. We explore some of the relationships between the people, repositories and code and how we can start to verify them. We try to define some of the ways a piece of code can be trustworthy or not - it isn’t just malice; old, abandoned, under-maintained code can be just as problematic.

We will look at some of the things we can measure, like the activity in the repo and the users and also the strength of the link between repo and source. We’ll also look at the scale of the problem and reasons we might want to automate it.