[Git][reproducible-builds/reproducible-website][master] 2026-03: Fix GI academic paper

[Timo Pohl (@pohlarized)]

Timo Pohl pushed to branch master at Reproducible Builds / reproducible-website


Commits:
3db41a83 by Timo Pohl at 2026-04-08T08:10:44+02:00
2026-03: Fix GI academic paper

- - - - -


2 changed files:

- _reports/2026-03.md
- + images/reports/2026-03/epub.gi.png


Changes:

=====================================
_reports/2026-03.md
=====================================
@@ -145,9 +145,21 @@ Once again, there were a number of improvements made to our website this month i
 
 ### Two new academic papers
 
-[FIXME](https://dl.gi.de/items/07a895be-d49c-4d73-b14d-cb533e850ca2)
+
+[![]({{ "/images/reports/2026-03/epub.gi.png#right" | relative_url }})](https://dl.gi.de/items/07a895be-d49c-4d73-b14d-cb533e850ca2)
 <!-- Link currently HTTP 500; -->
 
+Marc Ohm, Timo Pohl, Ben Swierzy and Michael Meier published a paper on the [*threat of cache poisoning in the Python ecosystem*](https://dl.gi.de/items/07a895be-d49c-4d73-b14d-cb533e850ca2):
+
+Attacks on software supply chains are on the rise, and attackers are becoming increasingly creative in how they inject malicious code into software components.
+This paper is the first to investigate Python cache poisoning, which manipulates bytecode cache files to execute malicious code without altering the human-readable source code.
+We demonstrate a proof of concept, showing that an attacker can inject malicious bytecode into a cache file without failing the Python interpreter's integrity checks.
+In a large-scale analysis of the Python Package Index, we find that about 12,500 packages are distributed with cache files.
+Through manual investigation of cache files that cannot be reproduced automatically from the corresponding source files, we identify classes of reasons for irreproducibility to locate malicious cache files.
+While we did not identify any malware leveraging this attack vector, we demonstrate that several widespread package managers are vulnerable to such attacks.
+
+A [PDF](https://dl.gi.de/items/07a895be-d49c-4d73-b14d-cb533e850ca2) of the paper is available online.
+
 <br>
 
 [![]({{ "/images/reports/2026-03/epub.jku.png#right" | relative_url }})](https://epub.jku.at/obvulihs/content/titleinfo/13440717)


=====================================
images/reports/2026-03/epub.gi.png
=====================================
Binary files /dev/null and b/images/reports/2026-03/epub.gi.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/3db41a83a20801789b007910b2c6627c6c49f75b

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/3db41a83a20801789b007910b2c6627c6c49f75b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20260408/9f9ec889/attachment.htm>