Declaration of Vulnerabilities - Pylint
Dear Pylint Maintainers, GDMS-C is preparing a response to a Government of Canada solicitation and is considering identifying the following products in the work environment for the proposed solution; - Pylint v2.* As a requirement of the solicitation, GDMS-C is required to submit a list of the five (5) latest vulnerabilities for the products listed above. Please consider this request and complete the attached form for the products listed. The proposal response is due shortly and as such GDMS-C would appreciate your response by no later than Close of Business (COB) on January 13, 2023. Thank you in advance for your assistance, please advise if you require any further assistance or do not foresee meeting the requested due date. Best regards, Kurt Bird Scrum Master, LCSS DevOps General Dynamics Mission Systems-Canada (403)-730-1206 "This message and/or attachments may include information subject to GD Corporate Policies and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message."
Disclaimer: I am not a maintainer and don't speak for them But Wow! This is blunt. So your company is making good money using free products, supported by volunteers. If the sollicitation is mission critical, it would be a good idea to convince your management to spend some budget on supporting the pylint maintainers instead of demanding quick action. Maybe you could rephrase like: "whom should I contact, is there anybody we can hire to do this for us?" This does, however, happen to be one of the problems I came in touch with on my day job: SOUP (software of unknown provenance) management in medical software. And most open source we use is not maintained with processes that fit these strict regulations (iec16304). It would be great if the industry could start a funded registry of these free tools, and support the maintainers with money and advise. On the other hand, these heavy weight processes could hamper experimentation and evolution when not managed properly. Some partial solutions do exist already: one example (I googled for 'cve pylint') could be snyk: https://security.snyk.io/package/pip/pylint On Sat, 7 Jan 2023, 02:17 Bird, Kurt, <Kurt.Bird@gd-ms.ca> wrote:
Dear Pylint Maintainers,
GDMS-C is preparing a response to a Government of Canada solicitation and is considering identifying the following products in the work environment for the proposed solution;
- Pylint v2.*
As a requirement of the solicitation, GDMS-C is required to submit a list of the five (5) latest vulnerabilities for the products listed above. Please consider this request and complete the attached form for the products listed.
The proposal response is due shortly and as such GDMS-C would appreciate your response by no later than Close of Business (COB) on January 13, 2023.
Thank you in advance for your assistance, please advise if you require any further assistance or do not foresee meeting the requested due date.
Best regards,
*Kurt Bird Scrum Master, LCSS DevOps General Dynamics Mission Systems-Canada*
*(403)-730-1206*
“This message and/or attachments may include information subject to GD Corporate Policies and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message.” _______________________________________________ code-quality mailing list -- code-quality@python.org To unsubscribe send an email to code-quality-leave@python.org https://mail.python.org/mailman3/lists/code-quality.python.org/ Member address: kristoffel.pirard@gmail.com
Hello, We're handling security through Tidelift, you can contact them directly: https://tidelift.com/subscription/pkg/pypi-pylint?utm_source=pypi-pylint&utm_medium= code_quality_mailing_list You can also sponsor one of the pylint maintainer and ask them directly at: https://github.com/sponsors/DanielNoord https://github.com/sponsors/Pierre-Sassoulas Best regards, Le dim. 8 janv. 2023 à 08:49, Kristoffel Pirard <kristoffel.pirard@gmail.com> a écrit :
Disclaimer: I am not a maintainer and don't speak for them
But Wow! This is blunt. So your company is making good money using free products, supported by volunteers.
If the sollicitation is mission critical, it would be a good idea to convince your management to spend some budget on supporting the pylint maintainers instead of demanding quick action.
Maybe you could rephrase like: "whom should I contact, is there anybody we can hire to do this for us?"
This does, however, happen to be one of the problems I came in touch with on my day job: SOUP (software of unknown provenance) management in medical software. And most open source we use is not maintained with processes that fit these strict regulations (iec16304).
It would be great if the industry could start a funded registry of these free tools, and support the maintainers with money and advise. On the other hand, these heavy weight processes could hamper experimentation and evolution when not managed properly.
Some partial solutions do exist already: one example (I googled for 'cve pylint') could be snyk:
https://security.snyk.io/package/pip/pylint
On Sat, 7 Jan 2023, 02:17 Bird, Kurt, <Kurt.Bird@gd-ms.ca> wrote:
Dear Pylint Maintainers,
GDMS-C is preparing a response to a Government of Canada solicitation and is considering identifying the following products in the work environment for the proposed solution;
- Pylint v2.*
As a requirement of the solicitation, GDMS-C is required to submit a list of the five (5) latest vulnerabilities for the products listed above. Please consider this request and complete the attached form for the products listed.
The proposal response is due shortly and as such GDMS-C would appreciate your response by no later than Close of Business (COB) on January 13, 2023.
Thank you in advance for your assistance, please advise if you require any further assistance or do not foresee meeting the requested due date.
Best regards,
*Kurt Bird Scrum Master, LCSS DevOps General Dynamics Mission Systems-Canada*
*(403)-730-1206*
“This message and/or attachments may include information subject to GD Corporate Policies and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message.” _______________________________________________ code-quality mailing list -- code-quality@python.org To unsubscribe send an email to code-quality-leave@python.org https://mail.python.org/mailman3/lists/code-quality.python.org/ Member address: kristoffel.pirard@gmail.com
_______________________________________________ code-quality mailing list -- code-quality@python.org To unsubscribe send an email to code-quality-leave@python.org https://mail.python.org/mailman3/lists/code-quality.python.org/ Member address: pierre.sassoulas@gmail.com
participants (3)
-
Bird, Kurt
-
Kristoffel Pirard
-
Pierre Sassoulas