PyUp’s dataset is public, and the insecure_full document posted earlier in thread is 344 kb, so yeah, it is totally possible.

https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json


On 12/2, 2019, at 17:05, Joni Orponen <j.orponen@4teamwork.ch> wrote:

On Tue, Feb 12, 2019 at 5:24 AM Tzu-ping Chung <uranusjr@gmail.com> wrote:
One way to avoid disclosing user environments to a third party is to build this into PyPI instead. The API could generate the warning for pip to display. 

How large are these kinds of databases? Would it be a conceivable thought end users and/or CI infrastructures of organisations keep and update their local copies and thus only disclose the fact they're using such a database?

-- Joni Orponen
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-leave@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/ERBNV6DJ5MTXF5KOHXZDABPQAEUJELMF/