Suggestion: PEP for tracking vulnerable Python packages
Andres Riancho
andres.riancho at gmail.com
Tue May 12 16:32:48 EDT 2015
Grant,
On Tue, May 12, 2015 at 5:16 PM, Grant Murphy <grantcmurphy at gmail.com> wrote:
> Hi,
>
> When pulling in a dependency via pip it is currently difficult to reason about
> whether there are any vulnerabilities associated with the package version you
> are using. I think the Python package management infrastructure could be
> extended to facilitate this capability reasonably easily. PyPI already
> contains a lot of metadata around package owners and releases available.
> Adding the ability to flag a release as having a vulnerability and CVE
> associated with it seems like a reasonable addition to me.
>
> Currently there are some projects that are trying to track this information [1],
> however by including this type of information as a part of the Python
> infrastructure I think it would encourage better vulnerability management
> practices within the community.
>
> I'd like some feedback on how to move forward with this suggestion. Does
> this seem like something that could be worth turning into a PEP?
I believe a PEP is not necessary, but it would be great to make this
information part of the package meta-data in pypi, and have "pip"
refuse to install a package that has known vulnerabilities. The user
could force the installation of a vulnerable package with
"--install-vulnerable package-name", but at least pypi / python
community is warning the dev.
> 1. https://github.com/victims/victims-cve-db
>
> - Grant
> --
> https://mail.python.org/mailman/listinfo/python-list
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
More information about the Python-list
mailing list