Suggestion: PEP for tracking vulnerable packages within PyPI

[Grant Murphy]

Ok so.. no PEP needed then..alright then... my plan now goes something
like this:

0. Send this email.
1. Unsubscribe from the python-list. (I don't enjoy the company of trolls).
2. Actually fix the problem and submit a PR.
3. Go have a beer.

Apologies for the multiple emails.  I can see how Mark needed to be a
jerk about it..

- Grant

On Tue, May 12, 2015 at 2:17 PM, Mark Lawrence <breamoreboy at yahoo.co.uk> wrote:
> On 12/05/2015 20:46, Grant Murphy wrote:
>>
>> Hi,
>>
>> When pulling in a dependency via pip it is currently difficult to reason
>> about
>> whether there are any vulnerabilities associated with the package version
>> you
>> are using. I think the Python package management infrastructure could be
>> extended to facilitate this capability reasonably easily. PyPI already
>> contains a lot of metadata around package owners and releases available.
>> Adding the ability to flag a release as having a vulnerability and CVE
>> associated with it seems like a reasonable addition to me.
>>
>> Currently there are some projects that are trying to track this
>> information [1],
>> however by including this type of information as a part of the main Python
>> infrastructure I think it would encourage better vulnerability management
>> practices within the community.
>>
>> I'd like some feedback on how to move forward with this suggestion. Does
>> this seem like something that could be worth turning into a PEP?
>>
>> 1. https://github.com/victims/victims-cve-db
>>
>> - Grant
>>
>
> It strikes me as a great idea.  As you've got the time to send three emails
> some 40 minutes apart saying the same thing, you must have the time to do
> the work that is involved, so please let us know what your plans are.
>
> --
> My fellow Pythonistas, ask not what our language can do for you, ask
> what you can do for our language.
>
> Mark Lawrence
>
> --
> https://mail.python.org/mailman/listinfo/python-list