Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #90493 > unrolled thread

Re: Suggestion: PEP for tracking vulnerable Python packages

Started byAndres Riancho <andres.riancho@gmail.com>
First post2015-05-12 17:32 -0300
Last post2015-05-12 17:32 -0300
Articles 1 — 1 participant

Back to article view | Back to comp.lang.python

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  Re: Suggestion: PEP for tracking vulnerable Python packages Andres Riancho <andres.riancho@gmail.com> - 2015-05-12 17:32 -0300

#90493 — Re: Suggestion: PEP for tracking vulnerable Python packages

FromAndres Riancho <andres.riancho@gmail.com>
Date2015-05-12 17:32 -0300
SubjectRe: Suggestion: PEP for tracking vulnerable Python packages
Message-ID<mailman.417.1431462791.12865.python-list@python.org>
Grant,

On Tue, May 12, 2015 at 5:16 PM, Grant Murphy <grantcmurphy@gmail.com> wrote:
> Hi,
>
> When pulling in a dependency via pip it is currently difficult to reason about
> whether there are any vulnerabilities associated with the package version you
> are using. I think the Python package management infrastructure could be
> extended to facilitate this capability reasonably easily. PyPI already
> contains a lot of metadata around package owners and releases available.
> Adding the ability to flag a release as having a vulnerability and CVE
> associated with it seems like a reasonable addition to me.
>
> Currently there are some projects that are trying to track this information [1],
> however by including this type of information as a part of the Python
> infrastructure I think it would encourage better vulnerability management
> practices within the community.
>
> I'd like some feedback on how to move forward with this suggestion. Does
> this seem like something that could be worth turning into a PEP?

I believe a PEP is not necessary, but it would be great to make this
information part of the package meta-data in pypi, and have "pip"
refuse to install a package that has known vulnerabilities. The user
could force the installation of a vulnerable package with
"--install-vulnerable package-name", but at least pypi / python
community is warning the dev.

> 1. https://github.com/victims/victims-cve-db
>
> - Grant
> --
> https://mail.python.org/mailman/listinfo/python-list



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

[toc] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web