21 Sep
2013
21 Sep
'13
8:23 a.m.
On 09/21/2013 04:51 PM, Donald Stufft wrote:
Any changes to PyPI would require the projects themselves to flag a security issue which won't always happen. A third party project allows a neutral party to handle this.
One thing I don't fully get is how victi.ms - or any third party - collect information regarding the vulnerabilities?
I understand there would be two sources of information?
- public vulnerability databases
- data submitted by package maintainers themselves (this would have to be routed to a third party somehow)
Also as Nick said PyPI itself is mostly in a holding pattern while a 2.0 is being phased in, new features are possible but they are all weighed against the amount of effort it will take (x2).
Sure, I understand it now.
cheers,
-- Dariusz Suchojad
https://zato.io ESB, SOA and cloud integrations in Python