Suggestion: PEP for tracking vulnerable packages within PyPI
Tim Golden
mail at timgolden.me.uk
Tue May 12 17:23:40 EDT 2015
On 12/05/2015 22:17, Mark Lawrence wrote:
> On 12/05/2015 20:46, Grant Murphy wrote:
>> Hi,
>>
>> When pulling in a dependency via pip it is currently difficult to
>> reason about
>> whether there are any vulnerabilities associated with the package
>> version you
>> are using. I think the Python package management infrastructure could be
>> extended to facilitate this capability reasonably easily. PyPI already
>> contains a lot of metadata around package owners and releases available.
>> Adding the ability to flag a release as having a vulnerability and CVE
>> associated with it seems like a reasonable addition to me.
>>
>> Currently there are some projects that are trying to track this
>> information [1],
>> however by including this type of information as a part of the main
>> Python
>> infrastructure I think it would encourage better vulnerability management
>> practices within the community.
>>
>> I'd like some feedback on how to move forward with this suggestion. Does
>> this seem like something that could be worth turning into a PEP?
>>
>> 1. https://github.com/victims/victims-cve-db
>>
>> - Grant
>>
>
> It strikes me as a great idea. As you've got the time to send three
> emails some 40 minutes apart saying the same thing, you must have the
> time to do the work that is involved, so please let us know what your
> plans are.
>
Before you drown in your own snark, Mark, I'll just point out that the
OP sent the later emails thinking that the earlier ones hadn't got
through, since I was somewhere which didn't have internet access so
couldn't approve the posts.
Still a tad impatient, I agree, but not the question-bomber you're
suggesting.
TJG
More information about the Python-list
mailing list