Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!1.eu.feeder.erje.net!border1.nntp.ams1.giganews.com!nntp.giganews.com!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <mail@timgolden.me.uk>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.009
X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'pypi': 0.07; 'subject:PEP': 0.07; 'agree,': 0.09; 'dependency': 0.09; 'lawrence': 0.09; 'subject:PyPI': 0.09; 'url:github': 0.09; 'python': 0.11; 'from:addr:timgolden.me.uk': 0.16; 'from:name:tim golden': 0.16; 'mark,': 0.16; 'message-id:@timgolden.me.uk': 0.16; 'pulling': 0.16; 'reasonably': 0.16; 'received:74.55.86': 0.16; 'received:74.55.86.74': 0.16; 'received:smtp.webfaction.com': 0.16; 'received:webfaction.com': 0.16; 'suggestion.': 0.16; 'through,': 0.16; 'tjg': 0.16; 'wrote:': 0.18; 'trying': 0.19; 'later': 0.20; 'seems': 0.21; 'community.': 0.22; 'saying': 0.22; 'header:User-Agent:1': 0.23; 'earlier': 0.24; 'somewhere': 0.26; 'header:In-Reply-To:1': 0.27; 'point': 0.28; 'approve': 0.31; 'are.': 0.31; "i'd": 0.34; 'could': 0.34; 'something': 0.35; 'plans': 0.35; 'but': 0.35; 'there': 0.35; 'version': 0.36; "didn't": 0.36; "i'll": 0.36; 'hi,': 0.36; 'feedback': 0.38; 'to:addr:python-list': 0.38; 'track': 0.38; 'ability': 0.39; 'does': 0.39; "couldn't": 0.39; 'to:addr:python.org': 0.39; 'release': 0.40; 'how': 0.40; 'extended': 0.61; "you're": 0.61; "you've": 0.63; 'information': 0.63; 'forward': 0.65; 'great': 0.65; 'management': 0.65; 'charset:windows-1252': 0.65; 'within': 0.65; 'worth': 0.66; 'minutes': 0.67; 'internet': 0.71; 'apart': 0.72; 'from:addr:mail': 0.83; 'capability': 0.84; 'thing,': 0.91
Date: Tue, 12 May 2015 22:23:40 +0100
From: Tim Golden <mail@timgolden.me.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: python-list@python.org
Subject: Re: Suggestion: PEP for tracking vulnerable packages within PyPI
References: <CAHXGaxD+hj=N-UqzO=nepka0KJ7zbr+_VneuPRbs34G6NjZNZA@mail.gmail.com> <mitqlb$r6e$1@ger.gmane.org>
In-Reply-To: <mitqlb$r6e$1@ger.gmane.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.20+
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.420.1431465828.12865.python-list@python.org>
Lines: 46
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1431465828 news.xs4all.nl 2903 [2001:888:2000:d::a6]:39417
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:90496



On 12/05/2015 22:17, Mark Lawrence wrote:
> On 12/05/2015 20:46, Grant Murphy wrote:
>> Hi,
>>
>> When pulling in a dependency via pip it is currently difficult to
>> reason about
>> whether there are any vulnerabilities associated with the package
>> version you
>> are using. I think the Python package management infrastructure could be
>> extended to facilitate this capability reasonably easily. PyPI already
>> contains a lot of metadata around package owners and releases available.
>> Adding the ability to flag a release as having a vulnerability and CVE
>> associated with it seems like a reasonable addition to me.
>>
>> Currently there are some projects that are trying to track this
>> information [1],
>> however by including this type of information as a part of the main
>> Python
>> infrastructure I think it would encourage better vulnerability management
>> practices within the community.
>>
>> I'd like some feedback on how to move forward with this suggestion. Does
>> this seem like something that could be worth turning into a PEP?
>>
>> 1. https://github.com/victims/victims-cve-db
>>
>> - Grant
>>
>
> It strikes me as a great idea.  As you've got the time to send three
> emails some 40 minutes apart saying the same thing, you must have the
> time to do the work that is involved, so please let us know what your
> plans are.
>

Before you drown in your own snark, Mark, I'll just point out that the 
OP sent the later emails thinking that the earlier ones hadn't got 
through, since I was somewhere which didn't have internet access so 
couldn't approve the posts.

Still a tad impatient, I agree, but not the question-bomber you're 
suggesting.

TJG