Alpha Omega is proud to share the newly published white paper from Seth Larson of the Python Software Foundation, titled “Slippery Zips and Sticky Tar Pits: Security and Archives.” Seth serves as Python’s Security Developer in Residence, a role sponsored by Alpha Omega, focused on improving the safety and trustworthiness of open source software that powers systems and applications everywhere.
Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects.
This largely depends on the ICANN policies and their definitions of Renewal and Registration Grace Periods.
The Renewal period is variable, but the Registration Grace Period is pretty much 30 days everywhere.
The ERRP only covers gTLDs, right? Have you seen any ICANN policies requiring ccTLDs to adopt the same grace periods. As far as I know, ccTLDs can do whatever they want.
ICANN policies only govern global domains. Country domains set their own policies; for example, .eu expiration period is 45 days, not 30.
WHO IS policies also vary wildly, for example .de domains do not show registration date in the WHO IS, so it's not possible to know if a domain was dropped and re-registered.
PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over PyPI accounts through password resets.
Excellent idea, and something I tried a little while back.
The `pytest-postgresql` plugin used has the ability to do this natively, but when we tried it out we found that we had other issues with developing on a Linux machine.
