[Distutils] Name arbitration on PyPI (was: The mypy package)
Glyph
glyph at twistedmatrix.com
Mon Apr 18 18:24:32 EDT 2016
> On Apr 18, 2016, at 3:21 PM, Donald Stufft <donald at stufft.io> wrote:
>
>>
>> On Apr 18, 2016, at 6:14 PM, Glyph <glyph at twistedmatrix.com <mailto:glyph at twistedmatrix.com>> wrote:
>>
>>
>>> On Apr 18, 2016, at 2:31 PM, Ian Cordasco <graffatcolmingov at gmail.com <mailto:graffatcolmingov at gmail.com>> wrote:
>>>
>>> I have in fact offered but the author refuses to accept help from
>>> anyone. They're also the author of the C library (libyaml) and they do
>>> not maintain that either. It's actually quite frustrating as someone
>>> who wants to fix some of the numerous bugs in the library + improve it
>>> and add support for YAML 1.2 which is years old at this point.
>>
>> Since the spectre of malware has been raised in this thread, I feel I should point out that the reverse is also true. Although libyaml / pyyaml are "trusted" today, what happens after the inevitable 0-day RCE drops which the author refuses to patch it? Does PyPI have a responsibility to re-assign the name in that case? Specifically, YAML does have a heritage <http://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/> of vulnerabilities, even if this specific instance doesn't.
>>
>
> We don’t currently have much in the way of mechanisms to deal with that. Although I could think of a few that we could do which *wouldn’t* require handing over the name and which could generalize out to other maintenance/abandonment problems as well, like (in order of severity):
>
> * Add a warning on the PyPI page indicating that the project is abandoned/unmaintained/etc suggesting they find something else (possibly with specific suggestions, like PIL -> Pillow).
This is the sort of thing I had in mind with https://github.com/pypa/warehouse/issues/933 <https://github.com/pypa/warehouse/issues/933> - it seems like any kind of annotation like this should be a matter of last resort and authors should be given every opportunity to respond first.
>
> * Add some mechanism to pip/PyPI that would allow PyPI to provide a message to people installing a particular project (or perhaps a specific version). This could also be exposed to authors who want to mark specific versions of their project as insecure.
>
> * Delete the files from PyPI or otherwise prevent them from being discovered by pip (likely paired with the a warning of some kind on the PyPI page).
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160418/d5873d3f/attachment.html>
More information about the Distutils-SIG
mailing list