Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #90498
| References | <CAHXGaxD+hj=N-UqzO=nepka0KJ7zbr+_VneuPRbs34G6NjZNZA@mail.gmail.com> <mitqlb$r6e$1@ger.gmane.org> |
|---|---|
| Date | 2015-05-12 14:56 -0700 |
| Subject | Re: Suggestion: PEP for tracking vulnerable packages within PyPI |
| From | Grant Murphy <grantcmurphy@gmail.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.422.1431467822.12865.python-list@python.org> (permalink) |
Ok so.. no PEP needed then..alright then... my plan now goes something like this: 0. Send this email. 1. Unsubscribe from the python-list. (I don't enjoy the company of trolls). 2. Actually fix the problem and submit a PR. 3. Go have a beer. Apologies for the multiple emails. I can see how Mark needed to be a jerk about it.. - Grant On Tue, May 12, 2015 at 2:17 PM, Mark Lawrence <breamoreboy@yahoo.co.uk> wrote: > On 12/05/2015 20:46, Grant Murphy wrote: >> >> Hi, >> >> When pulling in a dependency via pip it is currently difficult to reason >> about >> whether there are any vulnerabilities associated with the package version >> you >> are using. I think the Python package management infrastructure could be >> extended to facilitate this capability reasonably easily. PyPI already >> contains a lot of metadata around package owners and releases available. >> Adding the ability to flag a release as having a vulnerability and CVE >> associated with it seems like a reasonable addition to me. >> >> Currently there are some projects that are trying to track this >> information [1], >> however by including this type of information as a part of the main Python >> infrastructure I think it would encourage better vulnerability management >> practices within the community. >> >> I'd like some feedback on how to move forward with this suggestion. Does >> this seem like something that could be worth turning into a PEP? >> >> 1. https://github.com/victims/victims-cve-db >> >> - Grant >> > > It strikes me as a great idea. As you've got the time to send three emails > some 40 minutes apart saying the same thing, you must have the time to do > the work that is involved, so please let us know what your plans are. > > -- > My fellow Pythonistas, ask not what our language can do for you, ask > what you can do for our language. > > Mark Lawrence > > -- > https://mail.python.org/mailman/listinfo/python-list
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: Suggestion: PEP for tracking vulnerable packages within PyPI Grant Murphy <grantcmurphy@gmail.com> - 2015-05-12 14:56 -0700
csiph-web