One way to avoid disclosing user environments to a third party is to build this into PyPI instead. The API could generate the warning for pip to display. 

This only covers packages on PyPI, of course, but trying to audit local and self-hosted packages is is a fools errand anyway IMO since there is no practical way for any tool to reliably know what *actually* is installed.

--
Tzu-ping Chung (@uranusjr)
uranusjr@gmail.com
Sent from my iPhone

On 12 Feb 2019, at 11:34, Wes Turner <wes.turner@gmail.com> wrote:

Would something like this require:

- a pip extension/plugin/post-install hook API
- a post-install hook that discloses all installed packages and versions (from pypi.org, mirrors, local directory) in exchange for checking and online security DB
- a way to specify a key to e.g. pyup

GItHub and GitLab offer similar functionality:

https://github.blog/2018-07-12-security-vulnerability-alerts-for-python/
  https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/

https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html
  https://gitlab.com/gitlab-org/security-products/dependency-scanning#supported-languages-and-package-managers

https://pyup.io

https://github.com/pyupio/safety-db

> pipenv check relies on safety and Safety-DB to check for known vulnerabilities in locked components


On Monday, February 11, 2019, Julian Berman <julian@grayvines.com> wrote:
Hi.

I recently found myself installing a node.js package, and in the process noticed that (sometime recently?) it started automatically warning about known vulnerabilities during installation of package.jsons (see https://docs.npmjs.com/cli/audit).

At work, we run safety (https://pypi.org/project/safety/) on all our projects (which has both free and paid versions). It's great.

I know there's a ton of wonderful work happening at the minute to improve underlying scaffolding + specification to enable tools other than setuptools + pip to thrive, so maybe this is the wrong moment, but I figured I'd ask anyways :) -- what are opinions on running a similar thing during pip install?

-J
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-leave@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/GSTL47B4CREYHKOS5I47WOPQURBKTOAY/