Grant, On Tue, May 12, 2015 at 5:16 PM, Grant Murphy <grantcmur...@gmail.com> wrote: > Hi, > > When pulling in a dependency via pip it is currently difficult to reason about > whether there are any vulnerabilities associated with the package version you > are using. I think the Python package management infrastructure could be > extended to facilitate this capability reasonably easily. PyPI already > contains a lot of metadata around package owners and releases available. > Adding the ability to flag a release as having a vulnerability and CVE > associated with it seems like a reasonable addition to me. > > Currently there are some projects that are trying to track this information > [1], > however by including this type of information as a part of the Python > infrastructure I think it would encourage better vulnerability management > practices within the community. > > I'd like some feedback on how to move forward with this suggestion. Does > this seem like something that could be worth turning into a PEP?
I believe a PEP is not necessary, but it would be great to make this information part of the package meta-data in pypi, and have "pip" refuse to install a package that has known vulnerabilities. The user could force the installation of a vulnerable package with "--install-vulnerable package-name", but at least pypi / python community is warning the dev. > 1. https://github.com/victims/victims-cve-db > > - Grant > -- > https://mail.python.org/mailman/listinfo/python-list -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- https://mail.python.org/mailman/listinfo/python-list