Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #90496 > unrolled thread
| Started by | Tim Golden <mail@timgolden.me.uk> |
|---|---|
| First post | 2015-05-12 22:23 +0100 |
| Last post | 2015-05-12 22:23 +0100 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: Suggestion: PEP for tracking vulnerable packages within PyPI Tim Golden <mail@timgolden.me.uk> - 2015-05-12 22:23 +0100
| From | Tim Golden <mail@timgolden.me.uk> |
|---|---|
| Date | 2015-05-12 22:23 +0100 |
| Subject | Re: Suggestion: PEP for tracking vulnerable packages within PyPI |
| Message-ID | <mailman.420.1431465828.12865.python-list@python.org> |
On 12/05/2015 22:17, Mark Lawrence wrote: > On 12/05/2015 20:46, Grant Murphy wrote: >> Hi, >> >> When pulling in a dependency via pip it is currently difficult to >> reason about >> whether there are any vulnerabilities associated with the package >> version you >> are using. I think the Python package management infrastructure could be >> extended to facilitate this capability reasonably easily. PyPI already >> contains a lot of metadata around package owners and releases available. >> Adding the ability to flag a release as having a vulnerability and CVE >> associated with it seems like a reasonable addition to me. >> >> Currently there are some projects that are trying to track this >> information [1], >> however by including this type of information as a part of the main >> Python >> infrastructure I think it would encourage better vulnerability management >> practices within the community. >> >> I'd like some feedback on how to move forward with this suggestion. Does >> this seem like something that could be worth turning into a PEP? >> >> 1. https://github.com/victims/victims-cve-db >> >> - Grant >> > > It strikes me as a great idea. As you've got the time to send three > emails some 40 minutes apart saying the same thing, you must have the > time to do the work that is involved, so please let us know what your > plans are. > Before you drown in your own snark, Mark, I'll just point out that the OP sent the later emails thinking that the earlier ones hadn't got through, since I was somewhere which didn't have internet access so couldn't approve the posts. Still a tad impatient, I agree, but not the question-bomber you're suggesting. TJG
Back to top | Article view | comp.lang.python
csiph-web