On 09/21/2013 04:51 PM, Donald Stufft wrote: > Any changes to PyPI would require the projects themselves to flag a > security issue which won't always happen. A third party project allows a > neutral party to handle this.
One thing I don't fully get is how victi.ms - or any third party - collect information regarding the vulnerabilities? I understand there would be two sources of information? - public vulnerability databases - data submitted by package maintainers themselves (this would have to be routed to a third party somehow) > Also as Nick said PyPI itself is mostly in a holding pattern while a 2.0 > is being phased in, new features *are* possible but they are all weighed > against the amount of effort it will take (x2). Sure, I understand it now. cheers, -- Dariusz Suchojad https://zato.io ESB, SOA and cloud integrations in Python _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig