Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #90490 > unrolled thread
| Started by | Grant Murphy <grantcmurphy@gmail.com> |
|---|---|
| First post | 2015-05-12 12:46 -0700 |
| Last post | 2015-05-12 12:46 -0700 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
Suggestion: PEP for tracking vulnerable packages within PyPI Grant Murphy <grantcmurphy@gmail.com> - 2015-05-12 12:46 -0700
| From | Grant Murphy <grantcmurphy@gmail.com> |
|---|---|
| Date | 2015-05-12 12:46 -0700 |
| Subject | Suggestion: PEP for tracking vulnerable packages within PyPI |
| Message-ID | <mailman.414.1431462191.12865.python-list@python.org> |
Hi, When pulling in a dependency via pip it is currently difficult to reason about whether there are any vulnerabilities associated with the package version you are using. I think the Python package management infrastructure could be extended to facilitate this capability reasonably easily. PyPI already contains a lot of metadata around package owners and releases available. Adding the ability to flag a release as having a vulnerability and CVE associated with it seems like a reasonable addition to me. Currently there are some projects that are trying to track this information [1], however by including this type of information as a part of the main Python infrastructure I think it would encourage better vulnerability management practices within the community. I'd like some feedback on how to move forward with this suggestion. Does this seem like something that could be worth turning into a PEP? 1. https://github.com/victims/victims-cve-db - Grant
Back to top | Article view | comp.lang.python
csiph-web