On 12/05/2015 22:17, Mark Lawrence wrote:
On 12/05/2015 20:46, Grant Murphy wrote:
Hi,
When pulling in a dependency via pip it is currently difficult to
reason about
whether there are any vulnerabilities associated with the package
version you
are using. I think the Python package management infrastructure could be
extended to facilitate this capability reasonably easily. PyPI already
contains a lot of metadata around package owners and releases available.
Adding the ability to flag a release as having a vulnerability and CVE
associated with it seems like a reasonable addition to me.
Currently there are some projects that are trying to track this
information [1],
however by including this type of information as a part of the main
Python
infrastructure I think it would encourage better vulnerability management
practices within the community.
I'd like some feedback on how to move forward with this suggestion. Does
this seem like something that could be worth turning into a PEP?
1. https://github.com/victims/victims-cve-db
- Grant
It strikes me as a great idea. As you've got the time to send three
emails some 40 minutes apart saying the same thing, you must have the
time to do the work that is involved, so please let us know what your
plans are.
Before you drown in your own snark, Mark, I'll just point out that the
OP sent the later emails thinking that the earlier ones hadn't got
through, since I was somewhere which didn't have internet access so
couldn't approve the posts.
Still a tad impatient, I agree, but not the question-bomber you're
suggesting.
TJG
--
https://mail.python.org/mailman/listinfo/python-list
