> On Apr 18, 2016, at 2:31 PM, Ian Cordasco <graffatcolmin...@gmail.com> wrote:
>
> I have in fact offered but the author refuses to accept help from
> anyone. They're also the author of the C library (libyaml) and they do
> not maintain that either. It's actually quite frustrating as someone
> who wants to fix some of the numerous bugs in the library + improve it
> and add support for YAML 1.2 which is years old at this point.
Since the spectre of malware has been raised in this thread, I feel I should
point out that the reverse is also true. Although libyaml / pyyaml are
"trusted" today, what happens after the inevitable 0-day RCE drops which the
author refuses to patch it? Does PyPI have a responsibility to re-assign the
name in that case? Specifically, YAML does have a heritage
<http://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/>
of vulnerabilities, even if this specific instance doesn't.
-glyph
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig