Re: Two malicious Python libraries caught stealing SSH and GPG keys
Ideally anyone running production code involving computers that handle money (even if the code itself doesnt), should review any libraries, fully understand what it is doing before importing them.
This means that you essentially cannot use javascript, ruby, python, or rust. All of them are orgies of dependencies autofetched and updated in a practically unaudited manner.
(Sure, it's technically possible to use these languages without their ecosystem, but it's impractical and moots much of their benefits).
I say 'typical hacker' because in my opinion that covers the majority of developers in bitcoin.
Broad technical expertise is very rare in bitcoin.
But
I resolve that problem on my pool web site, no imported JS libraries, no python, no scripts written by anyone but me - no nodejs or other such code ... no google tracking, unlike most pools ...... and the pool itself, C
But since the topic IS python ... well, there's a lot of bitcoin and pool code out there that uses python (not me
).Heh - 25 malicious python libraries in the past few years ... sounds like a massive security risk to me.