I appreciate that there are no resources to solving this problem, which is why I'm trying to contribute.
I ran some tools on the top 5000 most-downloaded. Of those, there's about 25 problem packages, but they are requirements for another ~50. So more than 1% of the top most-downloaded packages have known vulnerabilities. The most obvious of them is Pycrypto. It is about the 239th most-downloaded package on Pypi. It is a requirement for about another 10 of the top 5000. There were about 1.5M downloads in the last month. The last official upstream release is 2.6.1 from October, 2013 (based on what's on https://www.dlitz.net/software/pycrypto/). It is vulnerable to CVE-2013-7459 and CVE-2018-6594 and there are PoC exploits available. So, what do I do? I'll start by filing defects for any package that requires Pycrypto to stop using it. But I won't be able to reach everyone. If I can formally prove that the Pycrypto package has been abandoned, can I take it over and replace it with a version that intentionally does not work? That may be an improvement to having people use an exploitable package. - A On Tuesday, February 12, 2019 at 6:15:19 PM UTC-5, Brett Cannon wrote: > > Since PyPI is an open package host/index there is no policy here. It is up > to the package maintainers to remove vulnerable packages or for users to do > their best to not use vulnerable packages (PyPA doesn't have the staffing > to police this sort of thing). > > On Tue, Feb 12, 2019 at 1:50 PM Alex deVries <alexth...@gmail.com > <javascript:>> wrote: > >> >> There are packages in Pypi that have had known vulnerabilities, and in >> some cases for a long time. >> >> There's a few situations: >> 1. current version package A has known vulnerabilities and would fit the >> definition of abandoned >> 2. an old vulnerable version of package A is required by a current >> version of package B >> 3. a current vulnerable version of package A is required by a current >> version of package B >> >> Is there a policy on how these different situations are handled? >> >> If I understand PEP-541, an abandoned package can only be transferred, >> but not actually removed. >> >> I'm new here, thanks for your patience. >> >> - A >> >
