Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #90493
| References | <CAHXGaxCS7ix-4-6-NFsCYHUYSzg80bK6RCaA9m-AqgEnd5y7cw@mail.gmail.com> |
|---|---|
| From | Andres Riancho <andres.riancho@gmail.com> |
| Date | 2015-05-12 17:32 -0300 |
| Subject | Re: Suggestion: PEP for tracking vulnerable Python packages |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.417.1431462791.12865.python-list@python.org> (permalink) |
Grant, On Tue, May 12, 2015 at 5:16 PM, Grant Murphy <grantcmurphy@gmail.com> wrote: > Hi, > > When pulling in a dependency via pip it is currently difficult to reason about > whether there are any vulnerabilities associated with the package version you > are using. I think the Python package management infrastructure could be > extended to facilitate this capability reasonably easily. PyPI already > contains a lot of metadata around package owners and releases available. > Adding the ability to flag a release as having a vulnerability and CVE > associated with it seems like a reasonable addition to me. > > Currently there are some projects that are trying to track this information [1], > however by including this type of information as a part of the Python > infrastructure I think it would encourage better vulnerability management > practices within the community. > > I'd like some feedback on how to move forward with this suggestion. Does > this seem like something that could be worth turning into a PEP? I believe a PEP is not necessary, but it would be great to make this information part of the package meta-data in pypi, and have "pip" refuse to install a package that has known vulnerabilities. The user could force the installation of a vulnerable package with "--install-vulnerable package-name", but at least pypi / python community is warning the dev. > 1. https://github.com/victims/victims-cve-db > > - Grant > -- > https://mail.python.org/mailman/listinfo/python-list -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Suggestion: PEP for tracking vulnerable Python packages Andres Riancho <andres.riancho@gmail.com> - 2015-05-12 17:32 -0300
csiph-web