On 22 Sep 2013 01:20, "Dariusz Suchojad" <dsuch@zato.io> wrote:
> On 09/21/2013 04:51 PM, Donald Stufft wrote:
> > Any changes to PyPI would require the projects themselves to flag a
> > security issue which won't always happen. A third party project allows a
> > neutral party to handle this.
> One thing I don't fully get is how victi.ms - or any third party -
> collect information regarding the vulnerabilities?
> I understand there would be two sources of information?
> - public vulnerability databases
> - data submitted by package maintainers themselves (this would have to
> be routed to a third party somehow)

victi.ms is still in the process of launching - they want to have at least Java, Python and Ruby support before making a big push to promote it as a resource.

I believe the initial intent is for victi.ms to focus on mapping CVE numbers to upstream packages, and then have optional plugins to check Maven builds, Ruby gem dependencies and Python virtual environments for known vulnerable versions.

For PyPI integration, I would expect to initially see us as just a consumer of the data, displaying CVE information on PyPI when available, and likely republishing it through the PyPI APIs.

Even that would be a big step forward from where we are now :)


> > Also as Nick said PyPI itself is mostly in a holding pattern while a 2.0
> > is being phased in, new features *are* possible but they are all weighed
> > against the amount of effort it will take (x2).
> Sure, I understand it now.
> cheers,
> --
> Dariusz Suchojad
> https://zato.io
> ESB, SOA and cloud integrations in Python