Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #90491
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!1.eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed3a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <grantcmurphy@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.031 |
| X-Spam-Evidence | '*H*': 0.94; '*S*': 0.00; 'subject:Python': 0.06; 'pypi': 0.07; 'subject:PEP': 0.07; 'dependency': 0.09; 'url:github': 0.09; 'python': 0.11; 'pulling': 0.16; 'reasonably': 0.16; 'suggestion.': 0.16; 'trying': 0.19; 'seems': 0.21; 'community.': 0.22; 'message-id:@mail.gmail.com': 0.30; "i'd": 0.34; 'could': 0.34; 'something': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'version': 0.36; 'hi,': 0.36; 'feedback': 0.38; 'to:addr:python-list': 0.38; 'track': 0.38; 'ability': 0.39; 'does': 0.39; 'to:addr:python.org': 0.39; 'release': 0.40; 'how': 0.40; 'extended': 0.61; 'information': 0.63; 'forward': 0.65; 'management': 0.65; 'within': 0.65; 'worth': 0.66; 'capability': 0.84 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=mN/92zXLa0USnqI1cLfPogKd5MXBDcjVS3+IZoqzHMw=; b=R+D9itOe/QW71DbFnQY1M2IyYXvrBm1em/Y7rHbGswNQP6ihQzZou4X6hVlIB9iLys Z9kJ0kcjn1O+TUKjuUF/wYIa1Wax3a79GdNinRsvRH/CtuJrg4Pk/6G75424OeII309k MBYV1NK0z9JHA563q+FBVr/8DNP6ueiRpUWiiacsUO2KZGXIyIhCIk0QrCgHE5JkzUdf B2jjRV3KAk1P5l7TEY48sxIbLuYQTj6YA/Qu6DSWopE4P/nnZLrx833wCLLA5M+T9W8C tiDVlY3Vzd0ztnJXlrw8Ut825TcS2Fq3IwKWDawe6csRZhHSQjRmOvVs4V3YL66MfobJ ODfw== |
| MIME-Version | 1.0 |
| X-Received | by 10.140.96.202 with SMTP id k68mr22031296qge.102.1431461807102; Tue, 12 May 2015 13:16:47 -0700 (PDT) |
| Date | Tue, 12 May 2015 13:16:47 -0700 |
| Subject | Suggestion: PEP for tracking vulnerable Python packages |
| From | Grant Murphy <grantcmurphy@gmail.com> |
| To | python-list@python.org |
| Content-Type | text/plain; charset=UTF-8 |
| X-Mailman-Approved-At | Tue, 12 May 2015 22:23:09 +0200 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.20+ |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.415.1431462191.12865.python-list@python.org> (permalink) |
| Lines | 21 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1431462191 news.xs4all.nl 2926 [2001:888:2000:d::a6]:44600 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:90491 |
Show key headers only | View raw
Hi, When pulling in a dependency via pip it is currently difficult to reason about whether there are any vulnerabilities associated with the package version you are using. I think the Python package management infrastructure could be extended to facilitate this capability reasonably easily. PyPI already contains a lot of metadata around package owners and releases available. Adding the ability to flag a release as having a vulnerability and CVE associated with it seems like a reasonable addition to me. Currently there are some projects that are trying to track this information [1], however by including this type of information as a part of the Python infrastructure I think it would encourage better vulnerability management practices within the community. I'd like some feedback on how to move forward with this suggestion. Does this seem like something that could be worth turning into a PEP? 1. https://github.com/victims/victims-cve-db - Grant
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Suggestion: PEP for tracking vulnerable Python packages Grant Murphy <grantcmurphy@gmail.com> - 2015-05-12 13:16 -0700
csiph-web