Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #90496

Re: Suggestion: PEP for tracking vulnerable packages within PyPI

Date 2015-05-12 22:23 +0100
From Tim Golden <mail@timgolden.me.uk>
Subject Re: Suggestion: PEP for tracking vulnerable packages within PyPI
References <CAHXGaxD+hj=N-UqzO=nepka0KJ7zbr+_VneuPRbs34G6NjZNZA@mail.gmail.com> <mitqlb$r6e$1@ger.gmane.org>
Newsgroups comp.lang.python
Message-ID <mailman.420.1431465828.12865.python-list@python.org> (permalink)

Show all headers | View raw


On 12/05/2015 22:17, Mark Lawrence wrote:
> On 12/05/2015 20:46, Grant Murphy wrote:
>> Hi,
>>
>> When pulling in a dependency via pip it is currently difficult to
>> reason about
>> whether there are any vulnerabilities associated with the package
>> version you
>> are using. I think the Python package management infrastructure could be
>> extended to facilitate this capability reasonably easily. PyPI already
>> contains a lot of metadata around package owners and releases available.
>> Adding the ability to flag a release as having a vulnerability and CVE
>> associated with it seems like a reasonable addition to me.
>>
>> Currently there are some projects that are trying to track this
>> information [1],
>> however by including this type of information as a part of the main
>> Python
>> infrastructure I think it would encourage better vulnerability management
>> practices within the community.
>>
>> I'd like some feedback on how to move forward with this suggestion. Does
>> this seem like something that could be worth turning into a PEP?
>>
>> 1. https://github.com/victims/victims-cve-db
>>
>> - Grant
>>
>
> It strikes me as a great idea.  As you've got the time to send three
> emails some 40 minutes apart saying the same thing, you must have the
> time to do the work that is involved, so please let us know what your
> plans are.
>

Before you drown in your own snark, Mark, I'll just point out that the 
OP sent the later emails thinking that the earlier ones hadn't got 
through, since I was somewhere which didn't have internet access so 
couldn't approve the posts.

Still a tad impatient, I agree, but not the question-bomber you're 
suggesting.

TJG

Back to comp.lang.python | Previous | Next | Find similar | Unroll thread

Thread

Re: Suggestion: PEP for tracking vulnerable packages within PyPI Tim Golden <mail@timgolden.me.uk> - 2015-05-12 22:23 +0100

csiph-web