Malicious PyPI Packages

It was a matter of time. After the npm-repository was hit later last year and ruby gems were found mining crypto-currency, this times it’s PyPI that spreads bad code. Supply chain attacks, as this vector is typically referred to, becomes an increasing problem. Foremost for software vendors.

The rich supply of community maintained packages make particular languages attractive to businesses. Plenty of ready made packages allow to rapidly build the most important components required to bootstrap any SaaS business. Authentication, database connectivity, model view abstraction layers, web request routing, html templating, it all can be found in either of these, at no added cost.

However, nothing in life is free and the price vendors pay is the added risk of unvalidated or unverified sources.

Pyston is back

Pyston, the Python Runtime with Just-In-Time (JiT) compiler, appears to be back. After the project lost support from Dropbox, development seemed to have ceased. A new team just released version 2, that is compatible with Python 3.8. It promises 20% performance gain over cPython, the default implementation. Here is the announcement: The Pyston Blog

usermanagement with django allauth.

usermanagement with django allauth: It is common for bots to register with a website. Often enough there are users instances in the user base that have registered at some point but did not verify their email-address.

Fortunately enough, for users of django and the excellent django-allauth, there are easy ways to manage these users.

First, the django ORM comes with an easy way to identify these users that did not verify their primary email:

>>> from django.contrib.auth.models import User
>>> unverified_users = User.objects.filter(emailaddress__verified=False, emailaddress__primary=True)
Bot User Management with django allauth
Mobile Phone User – Munich

The ORM allows simple filtering for unverified email addresses through a “relationship lookup”, that is emailaddress__verified=False in the above snippet. Of course, you may want to limit users for which the primary email address is unverified. That is the 2nd keyword argument to .filter() here: emailaddress__primary=True. The filter operator ANDs together these two conditions.

To identify users that not only have unverified, primary email addresses, but also appear to be idle, you may limit users that didn’t login through .exclude():

>> import datetime
>> old_unverified_users = unverified_users.exclude(, 1, 1))

Will only give you users that have logged in after Jan 1st, 2020. Of course, the argument to last_login can be modified to match your requirements.

Finally, you may chose to either email these users and re-ask to verify their email. That would be a separate task, though. In our case, we simply delete these, since they are obviously not interessted in using our site:


Python, the programming language, gained lot’s of popularity only in the past decade. In particular for big data applications, machine learning and data science the language is almost without alternative. But also for tool development or web applications backends, Python has huge adoption. Reasons are it’s huge ecosystem and a friendly, constructive community. Despite it’s newer competitors it has been around for 30 years. One of the most appreciated benefits is the steep learning curve, that allows virtually everyone to understand Python code.

Dropbox has an interview with Guido van Rossum, who published the first version of the language in 1989. The conversation revolves around the purpose of code and how python helps improve cooperation and productivity.

Guido van Rossum
Guido van Rossum

“You primarily write your code to communicate with other coders, and, to a lesser extent, to impose your will on the computer.”

Guido van Rossum

A conversation with the creator of the world’s most popular programming language on removing brain friction for better work. Source: The Mind at Work: Guido van Rossum on how Python makes thinking in code easier

The Road to Python3

When Python3 came out in 2009, it was already heavily debated. Python3 would be incompatible with previous versions of the popular language, but fix many drawbacks. While the vision was clear and the community initially planned to move forward much quicker. The demand for having a 2.x branch was so huge, however, that the community decided to extend support for 2.7 until the end of 2019. Stack Overflow took a look on why the path took so long.

The Road to Python3: Stack Overflow took a look.