> On Apr 18, 2016, at 3:21 PM, Donald Stufft <don...@stufft.io> wrote: > >> >> On Apr 18, 2016, at 6:14 PM, Glyph <gl...@twistedmatrix.com >> <mailto:gl...@twistedmatrix.com>> wrote: >> >> >>> On Apr 18, 2016, at 2:31 PM, Ian Cordasco <graffatcolmin...@gmail.com >>> <mailto:graffatcolmin...@gmail.com>> wrote: >>> >>> I have in fact offered but the author refuses to accept help from >>> anyone. They're also the author of the C library (libyaml) and they do >>> not maintain that either. It's actually quite frustrating as someone >>> who wants to fix some of the numerous bugs in the library + improve it >>> and add support for YAML 1.2 which is years old at this point. >> >> Since the spectre of malware has been raised in this thread, I feel I should >> point out that the reverse is also true. Although libyaml / pyyaml are >> "trusted" today, what happens after the inevitable 0-day RCE drops which the >> author refuses to patch it? Does PyPI have a responsibility to re-assign >> the name in that case? Specifically, YAML does have a heritage >> <http://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/> >> of vulnerabilities, even if this specific instance doesn't. >> > > We don’t currently have much in the way of mechanisms to deal with that. > Although I could think of a few that we could do which *wouldn’t* require > handing over the name and which could generalize out to other > maintenance/abandonment problems as well, like (in order of severity): > > * Add a warning on the PyPI page indicating that the project is > abandoned/unmaintained/etc suggesting they find something else (possibly with > specific suggestions, like PIL -> Pillow).
This is the sort of thing I had in mind with https://github.com/pypa/warehouse/issues/933 <https://github.com/pypa/warehouse/issues/933> - it seems like any kind of annotation like this should be a matter of last resort and authors should be given every opportunity to respond first. > > * Add some mechanism to pip/PyPI that would allow PyPI to provide a message > to people installing a particular project (or perhaps a specific version). > This could also be exposed to authors who want to mark specific versions of > their project as insecure. > > * Delete the files from PyPI or otherwise prevent them from being discovered > by pip (likely paired with the a warning of some kind on the PyPI page). > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
