Incidentally, someone wondered about this exact same thing on distutils-sig
just a couple of days ago:
https://mail.python.org/archives/list/distutils-...@python.org/thread/WPQDP73N7IINXX36UAOG7YDYHD7MYU4X/
(Maybe this is not a sign that *something* needs to be done? I don’t know.)
IANAL, but I
On 2019-02-13 18:45:57 -0500 (-0500), Alex deVries wrote:
> Could Pyup's safety be that standardized tool? It's dead simple to
> run. The tools I put together install a package which recursively
> installs the dependencies, then dumps the list of installed
> packages through safety, which
On 2019-02-12 16:27:15 -0800 (-0800), Alex deVries wrote:
[...]
> If I can formally prove that the Pycrypto package has been abandoned, can I
> take it over and replace it with a version that intentionally does not
> work? That may be an improvement to having people use an exploitable
>
Since PyPI is an open package host/index there is no policy here. It is up
to the package maintainers to remove vulnerable packages or for users to do
their best to not use vulnerable packages (PyPA doesn't have the staffing
to police this sort of thing).
On Tue, Feb 12, 2019 at 1:50 PM Alex
There are packages in Pypi that have had known vulnerabilities, and in some
cases for a long time.
There's a few situations:
1. current version package A has known vulnerabilities and would fit the
definition of abandoned
2. an old vulnerable version of package A is required by a current