I'd like to discuss and possibly implement a feature of PyPI that would facilitate in quickly discovering which of a given project's dependencies need to be updated because of new security-related fixes.
A little background is in order.
Zato has currently 80+ buildout dependencies
and I'm betting at least 80 more will be added with time. I'm in a camp that has absolutely no problems with as many dependencies as it's needed if it saves time and means less wheels being reinvented.
Once a dependency is in, it's pinned to a concrete version and that version is updated only in a couple of situations
For the last point, it would be really convenient if authors were offered a 'contains security fixes' kind of checkboxes somewhere in the GUI.
This would be displayed in a couple of places
On the project's PyPI page, for instance here - https://pypi.python.org/pypi/redis - there could be a 'This version contains security fixes' box right below the download button
Would be added to the Recent Updates feed https://pypi.python.org/pypi?%3Aaction=rss
There would be a new feed at /pypi?%3Aaction=security_rss that would list only these recent uploads that have the flag set
As far as the underlying database goes, this would be a single boolean column in the 'releases' table.
Such a feature would allow for quickly reacting to any security changes without chasing dozens of mailing lists, Twitter, RSS, asking authors to be notified when they change something etc.
Naturally, nothing would force people to actually use it but authors who treat their own work seriously would hopefully find it an interesting addition as well.
I'm familiarizing myself with https://bitbucket.org/pypa/pypi right now but I'd like to ask you if such a feature would be accepted at all if I implemented it. Also, it's not a priority one so if someone beats me to it, it's all good with me.
cheers and take care,
-- Dariusz Suchojad
https://zato.io ESB, SOA and cloud integrations in Python