Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #90493
| Path | csiph.com!usenet.pasdenom.info!news.redatomik.org!newsfeed.xs4all.nl!newsfeed3a.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <andres.riancho@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.031 |
| X-Spam-Evidence | '*H*': 0.94; '*S*': 0.00; 'subject:Python': 0.06; 'pypi': 0.07; 'subject:PEP': 0.07; 'dependency': 0.09; 'pep': 0.09; 'url:github': 0.09; 'cc:addr:python-list': 0.11; 'python': 0.11; 'dev.': 0.16; 'grant,': 0.16; 'pulling': 0.16; 'reasonably': 0.16; 'suggestion.': 0.16; 'wrote:': 0.18; 'trying': 0.19; 'seems': 0.21; 'community.': 0.22; 'cc:addr:python.org': 0.22; 'install': 0.23; 'installation': 0.23; 'cc:2**0': 0.24; 'least': 0.26; 'skip:" 20': 0.27; 'header:In-Reply-To:1': 0.27; 'message- id:@mail.gmail.com': 0.30; 'url:mailman': 0.30; 'twitter:': 0.31; 'url:python': 0.33; 'community': 0.33; 'framework': 0.33; "i'd": 0.34; 'could': 0.34; 'something': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'version': 0.36; 'url:listinfo': 0.36; 'hi,': 0.36; 'url:org': 0.36; 'application': 0.37; 'project': 0.37; 'feedback': 0.38; 'pm,': 0.38; 'track': 0.38; 'ability': 0.39; 'does': 0.39; '12,': 0.39; 'release': 0.40; 'url:mail': 0.40; 'how': 0.40; 'extended': 0.61; 'information': 0.63; 'forward': 0.65; 'great': 0.65; 'management': 0.65; 'to:addr:gmail.com': 0.65; 'within': 0.65; 'worth': 0.66; 'believe': 0.68; '2015': 0.84; 'capability': 0.84; 'vulnerable': 0.84; 'audit': 0.93; 'refuse': 0.93 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=g7ppZqBSUEHG7A0v5UO7V9lnaR0P78Hf00asEG4Gx0Y=; b=kXofPjNNRgDdJsvUqSVngROCka0ikgFN9MNCg26CnkUZIqKKi+JWTMWkncfIaNA+n4 3TyRwUgJW6lkkdziCR1DpuWetxyYPo2p4X3MYkDNTxvPtz1epYxJY7llBRVQlK7T6WwB ubrPOOdqUtyvfYztl6Ifd5gxUeMO+80Mqbu9sFRBrF106i8LdMG24Wsdrz3GE8zRvIro S2Ki+MksEtA2ys40QnoICXXfyw7w5n1L6r4ODuRWsy/Ms/cqypIwN/M5w3k2RhUSng1l kDjg+NNuBvNPj7dCt31mm2eppcDZxJ4md2OCl8PRTAASBZrnTm8YnRRQK28BfZkhJHQr SIIw== |
| X-Received | by 10.140.98.245 with SMTP id o108mr22068019qge.36.1431462789097; Tue, 12 May 2015 13:33:09 -0700 (PDT) |
| MIME-Version | 1.0 |
| In-Reply-To | <CAHXGaxCS7ix-4-6-NFsCYHUYSzg80bK6RCaA9m-AqgEnd5y7cw@mail.gmail.com> |
| References | <CAHXGaxCS7ix-4-6-NFsCYHUYSzg80bK6RCaA9m-AqgEnd5y7cw@mail.gmail.com> |
| From | Andres Riancho <andres.riancho@gmail.com> |
| Date | Tue, 12 May 2015 17:32:48 -0300 |
| Subject | Re: Suggestion: PEP for tracking vulnerable Python packages |
| To | Grant Murphy <grantcmurphy@gmail.com> |
| Cc | Python <python-list@python.org> |
| Content-Type | text/plain; charset=UTF-8 |
| Content-Transfer-Encoding | quoted-printable |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.20+ |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.417.1431462791.12865.python-list@python.org> (permalink) |
| Lines | 46 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1431462791 news.xs4all.nl 2850 [2001:888:2000:d::a6]:56289 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:90493 |
Show key headers only | View raw
Grant, On Tue, May 12, 2015 at 5:16 PM, Grant Murphy <grantcmurphy@gmail.com> wrote: > Hi, > > When pulling in a dependency via pip it is currently difficult to reason about > whether there are any vulnerabilities associated with the package version you > are using. I think the Python package management infrastructure could be > extended to facilitate this capability reasonably easily. PyPI already > contains a lot of metadata around package owners and releases available. > Adding the ability to flag a release as having a vulnerability and CVE > associated with it seems like a reasonable addition to me. > > Currently there are some projects that are trying to track this information [1], > however by including this type of information as a part of the Python > infrastructure I think it would encourage better vulnerability management > practices within the community. > > I'd like some feedback on how to move forward with this suggestion. Does > this seem like something that could be worth turning into a PEP? I believe a PEP is not necessary, but it would be great to make this information part of the package meta-data in pypi, and have "pip" refuse to install a package that has known vulnerabilities. The user could force the installation of a vulnerable package with "--install-vulnerable package-name", but at least pypi / python community is warning the dev. > 1. https://github.com/victims/victims-cve-db > > - Grant > -- > https://mail.python.org/mailman/listinfo/python-list -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Suggestion: PEP for tracking vulnerable Python packages Andres Riancho <andres.riancho@gmail.com> - 2015-05-12 17:32 -0300
csiph-web