> On Apr 18, 2016, at 6:14 PM, Glyph <gl...@twistedmatrix.com> wrote: > > >> On Apr 18, 2016, at 2:31 PM, Ian Cordasco <graffatcolmin...@gmail.com >> <mailto:graffatcolmin...@gmail.com>> wrote: >> >> I have in fact offered but the author refuses to accept help from >> anyone. They're also the author of the C library (libyaml) and they do >> not maintain that either. It's actually quite frustrating as someone >> who wants to fix some of the numerous bugs in the library + improve it >> and add support for YAML 1.2 which is years old at this point. > > Since the spectre of malware has been raised in this thread, I feel I should > point out that the reverse is also true. Although libyaml / pyyaml are > "trusted" today, what happens after the inevitable 0-day RCE drops which the > author refuses to patch it? Does PyPI have a responsibility to re-assign the > name in that case? Specifically, YAML does have a heritage > <http://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/> > of vulnerabilities, even if this specific instance doesn't. >
We don’t currently have much in the way of mechanisms to deal with that. Although I could think of a few that we could do which *wouldn’t* require handing over the name and which could generalize out to other maintenance/abandonment problems as well, like (in order of severity): * Add a warning on the PyPI page indicating that the project is abandoned/unmaintained/etc suggesting they find something else (possibly with specific suggestions, like PIL -> Pillow). * Add some mechanism to pip/PyPI that would allow PyPI to provide a message to people installing a particular project (or perhaps a specific version). This could also be exposed to authors who want to mark specific versions of their project as insecure. * Delete the files from PyPI or otherwise prevent them from being discovered by pip (likely paired with the a warning of some kind on the PyPI page). ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig