[Distutils] has_security_fixes flag in PyPI

Dariusz Suchojad dsuch at zato.io
Sat Sep 21 16:00:05 CEST 2013


Hello,

I'd like to discuss and possibly implement a feature of PyPI that would
facilitate in quickly discovering which of a given project's
dependencies need to be updated because of new security-related fixes.

A little background is in order.

Zato has currently 80+ buildout dependencies

https://github.com/zatosource/zato/blob/master/code/versions.cfg

and I'm betting at least 80 more will be added with time. I'm in a camp
that has absolutely no problems with as many dependencies as it's needed
if it saves time and means less wheels being reinvented.

Once a dependency is in, it's pinned to a concrete version and that
version is updated only in a couple of situations

1. Stability fixes that are to do with the functionality currently in
use by Zato
2. A dependency offers a new functionality I'd like to make use of
3. A version disappears from PyPI
4. A security fix is available

For the last point, it would be really convenient if authors were
offered a 'contains security fixes' kind of checkboxes somewhere in the GUI.

This would be displayed in a couple of places

- On the project's PyPI page, for instance here -
https://pypi.python.org/pypi/redis - there could be a 'This version
contains security fixes' box right below the download button

- Would be added to the Recent Updates feed
https://pypi.python.org/pypi?%3Aaction=rss

- There would be a new feed at /pypi?%3Aaction=security_rss that would
list only these recent uploads that have the flag set

As far as the underlying database goes, this would be a single boolean
column in the 'releases' table.

Such a feature would allow for quickly reacting to any security changes
without chasing dozens of mailing lists, Twitter, RSS, asking authors
to be notified when they change something etc.

Naturally, nothing would force people to actually use it but authors who
treat their own work seriously would hopefully find it an interesting
addition as well.

I'm familiarizing myself with https://bitbucket.org/pypa/pypi right now
but I'd like to ask you if such a feature would be accepted at all if I
implemented it. Also, it's not a priority one so if someone beats me to
it, it's all good with me.

cheers and take care,

-- 
Dariusz Suchojad

https://zato.io
ESB, SOA and cloud integrations in Python



More information about the Distutils-SIG mailing list