Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #90495
| Path | csiph.com!usenet.pasdenom.info!news.redatomik.org!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <python-python-list@m.gmane.org> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.005 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; 'from:addr:yahoo.co.uk': 0.04; 'pypi': 0.07; 'subject:PEP': 0.07; 'dependency': 0.09; 'lawrence': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'subject:PyPI': 0.09; 'url:github': 0.09; 'python': 0.11; 'language.': 0.14; 'pulling': 0.16; 'reasonably': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'suggestion.': 0.16; 'language': 0.16; 'wrote:': 0.18; 'trying': 0.19; 'seems': 0.21; 'community.': 0.22; 'saying': 0.22; 'header :User-Agent:1': 0.23; 'header:X-Complaints-To:1': 0.27; 'header :In-Reply-To:1': 0.27; 'are.': 0.31; "i'd": 0.34; 'could': 0.34; 'something': 0.35; 'plans': 0.35; 'there': 0.35; 'version': 0.36; 'hi,': 0.36; 'feedback': 0.38; 'to:addr:python-list': 0.38; 'track': 0.38; 'ability': 0.39; 'does': 0.39; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'release': 0.40; 'how': 0.40; 'extended': 0.61; "you've": 0.63; 'information': 0.63; 'our': 0.64; 'forward': 0.65; 'great': 0.65; 'management': 0.65; 'charset:windows-1252': 0.65; 'within': 0.65; 'worth': 0.66; 'minutes': 0.67; 'apart': 0.72; 'capability': 0.84; 'thing,': 0.91 |
| X-Injected-Via-Gmane | http://gmane.org/ |
| To | python-list@python.org |
| From | Mark Lawrence <breamoreboy@yahoo.co.uk> |
| Subject | Re: Suggestion: PEP for tracking vulnerable packages within PyPI |
| Date | Tue, 12 May 2015 22:17:29 +0100 |
| References | <CAHXGaxD+hj=N-UqzO=nepka0KJ7zbr+_VneuPRbs34G6NjZNZA@mail.gmail.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=windows-1252; format=flowed |
| Content-Transfer-Encoding | 7bit |
| X-Gmane-NNTP-Posting-Host | host-78-147-185-107.as13285.net |
| User-Agent | Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
| In-Reply-To | <CAHXGaxD+hj=N-UqzO=nepka0KJ7zbr+_VneuPRbs34G6NjZNZA@mail.gmail.com> |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.20+ |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.419.1431465458.12865.python-list@python.org> (permalink) |
| Lines | 35 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1431465458 news.xs4all.nl 2892 [2001:888:2000:d::a6]:36129 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:90495 |
Show key headers only | View raw
On 12/05/2015 20:46, Grant Murphy wrote: > Hi, > > When pulling in a dependency via pip it is currently difficult to reason about > whether there are any vulnerabilities associated with the package version you > are using. I think the Python package management infrastructure could be > extended to facilitate this capability reasonably easily. PyPI already > contains a lot of metadata around package owners and releases available. > Adding the ability to flag a release as having a vulnerability and CVE > associated with it seems like a reasonable addition to me. > > Currently there are some projects that are trying to track this information [1], > however by including this type of information as a part of the main Python > infrastructure I think it would encourage better vulnerability management > practices within the community. > > I'd like some feedback on how to move forward with this suggestion. Does > this seem like something that could be worth turning into a PEP? > > 1. https://github.com/victims/victims-cve-db > > - Grant > It strikes me as a great idea. As you've got the time to send three emails some 40 minutes apart saying the same thing, you must have the time to do the work that is involved, so please let us know what your plans are. -- My fellow Pythonistas, ask not what our language can do for you, ask what you can do for our language. Mark Lawrence
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Suggestion: PEP for tracking vulnerable packages within PyPI Mark Lawrence <breamoreboy@yahoo.co.uk> - 2015-05-12 22:17 +0100
csiph-web