Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #90498
| Path | csiph.com!usenet.pasdenom.info!news.redatomik.org!newsfeed.xs4all.nl!newsfeed2a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <grantcmurphy@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.047 |
| X-Spam-Evidence | '*H*': 0.91; '*S*': 0.00; 'pypi': 0.07; 'subject:PEP': 0.07; 'dependency': 0.09; 'lawrence': 0.09; 'pep': 0.09; 'subject:PyPI': 0.09; 'url:github': 0.09; 'cc:addr:python- list': 0.11; 'python': 0.11; 'language.': 0.14; 'pulling': 0.16; 'reasonably': 0.16; 'suggestion.': 0.16; 'language': 0.16; 'fix': 0.17; 'wrote:': 0.18; 'trying': 0.19; 'seems': 0.21; 'community.': 0.22; 'saying': 0.22; 'cc:addr:python.org': 0.22; 'cc:2**0': 0.24; 'cc:no real name:2**0': 0.24; 'this:': 0.26; 'header:In-Reply- To:1': 0.27; 'message-id:@mail.gmail.com': 0.30; 'url:mailman': 0.30; 'are.': 0.31; 'url:python': 0.33; "i'd": 0.34; 'could': 0.34; 'problem': 0.35; 'something': 0.35; 'plans': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'version': 0.36; 'url:listinfo': 0.36; 'hi,': 0.36; 'url:org': 0.36; 'feedback': 0.38; 'needed': 0.38; 'pm,': 0.38; 'track': 0.38; 'ability': 0.39; 'does': 0.39; '12,': 0.39; 'release': 0.40; 'url:mail': 0.40; 'how': 0.40; 'company': 0.60; 'extended': 0.61; "you've": 0.63; 'information': 0.63; 'our': 0.64; 'forward': 0.65; 'great': 0.65; 'management': 0.65; 'within': 0.65; 'worth': 0.66; 'minutes': 0.67; 'enjoy': 0.71; 'apart': 0.72; 'emails.': 0.78; 'unsubscribe': 0.82; '2015': 0.84; 'capability': 0.84; 'to:addr:yahoo.co.uk': 0.84; 'thing,': 0.91 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=J+aev6v6ccQ93FrnI67r00cTNg2AKPVlWU1+I3XCeEY=; b=PEkiPYSrnHrr2EsqzcQxBEjIp5+UXFwGdrXQaQ0o77ELNpLbbVxNjtsStWU3h//SCa b53Z3Ka3guY5ZgiJO3A0c4H0pGBdWLQgmixisjOhamgELmAKWLhfcCWKXTM3DByoLGkL atZZSDCVFlSf1/ACM8Ski9V45uDXrxnX/LZ0PtG0A2I8eRs8RUipM+zw5ZCvSjzZID+7 5kqY07VO3O3bFj/vAx40EEGXjwvmmc9xRHmSlhTQdXOuc9P8psJ/JN11rruqKWjaw8jE IzjA3qBqUt5JZhJVExjLDWYq50eSewCuT00tUFVi2Vc8rKzoke+ULmYE1tGf6wDe48e1 +zVw== |
| MIME-Version | 1.0 |
| X-Received | by 10.55.18.17 with SMTP id c17mr38028200qkh.25.1431467819217; Tue, 12 May 2015 14:56:59 -0700 (PDT) |
| In-Reply-To | <mitqlb$r6e$1@ger.gmane.org> |
| References | <CAHXGaxD+hj=N-UqzO=nepka0KJ7zbr+_VneuPRbs34G6NjZNZA@mail.gmail.com> <mitqlb$r6e$1@ger.gmane.org> |
| Date | Tue, 12 May 2015 14:56:59 -0700 |
| Subject | Re: Suggestion: PEP for tracking vulnerable packages within PyPI |
| From | Grant Murphy <grantcmurphy@gmail.com> |
| To | Mark Lawrence <breamoreboy@yahoo.co.uk> |
| Cc | python-list@python.org |
| Content-Type | text/plain; charset=UTF-8 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.20+ |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.422.1431467822.12865.python-list@python.org> (permalink) |
| Lines | 54 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1431467822 news.xs4all.nl 2850 [2001:888:2000:d::a6]:48209 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:90498 |
Show key headers only | View raw
Ok so.. no PEP needed then..alright then... my plan now goes something like this: 0. Send this email. 1. Unsubscribe from the python-list. (I don't enjoy the company of trolls). 2. Actually fix the problem and submit a PR. 3. Go have a beer. Apologies for the multiple emails. I can see how Mark needed to be a jerk about it.. - Grant On Tue, May 12, 2015 at 2:17 PM, Mark Lawrence <breamoreboy@yahoo.co.uk> wrote: > On 12/05/2015 20:46, Grant Murphy wrote: >> >> Hi, >> >> When pulling in a dependency via pip it is currently difficult to reason >> about >> whether there are any vulnerabilities associated with the package version >> you >> are using. I think the Python package management infrastructure could be >> extended to facilitate this capability reasonably easily. PyPI already >> contains a lot of metadata around package owners and releases available. >> Adding the ability to flag a release as having a vulnerability and CVE >> associated with it seems like a reasonable addition to me. >> >> Currently there are some projects that are trying to track this >> information [1], >> however by including this type of information as a part of the main Python >> infrastructure I think it would encourage better vulnerability management >> practices within the community. >> >> I'd like some feedback on how to move forward with this suggestion. Does >> this seem like something that could be worth turning into a PEP? >> >> 1. https://github.com/victims/victims-cve-db >> >> - Grant >> > > It strikes me as a great idea. As you've got the time to send three emails > some 40 minutes apart saying the same thing, you must have the time to do > the work that is involved, so please let us know what your plans are. > > -- > My fellow Pythonistas, ask not what our language can do for you, ask > what you can do for our language. > > Mark Lawrence > > -- > https://mail.python.org/mailman/listinfo/python-list
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Suggestion: PEP for tracking vulnerable packages within PyPI Grant Murphy <grantcmurphy@gmail.com> - 2015-05-12 14:56 -0700
csiph-web