On Apr 18, 2016, at 2:31 PM, Ian Cordasco <graffatcolmingov@gmail.com> wrote:
I have in fact offered but the author refuses to accept help from anyone. They're also the author of the C library (libyaml) and they do not maintain that either. It's actually quite frustrating as someone who wants to fix some of the numerous bugs in the library + improve it and add support for YAML 1.2 which is years old at this point.
Since the spectre of malware has been raised in this thread, I feel I should point out that the reverse is also true. Although libyaml / pyyaml are "trusted" today, what happens after the inevitable 0-day RCE drops which the author refuses to patch it? Does PyPI have a responsibility to re-assign the name in that case? Specifically, YAML does have a heritage <http://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails...> of vulnerabilities, even if this specific instance doesn't. -glyph