[Distutils] has_security_fixes flag in PyPI

Nick Coghlan ncoghlan at gmail.com
Sun Sep 22 03:12:42 CEST 2013

On 22 Sep 2013 01:20, "Dariusz Suchojad" <dsuch at zato.io> wrote:
> On 09/21/2013 04:51 PM, Donald Stufft wrote:
> > Any changes to PyPI would require the projects themselves to flag a
> > security issue which won't always happen. A third party project allows a
> > neutral party to handle this.
> One thing I don't fully get is how victi.ms - or any third party -
> collect information regarding the vulnerabilities?
> I understand there would be two sources of information?
> - public vulnerability databases
> - data submitted by package maintainers themselves (this would have to
> be routed to a third party somehow)

victi.ms is still in the process of launching - they want to have at least
Java, Python and Ruby support before making a big push to promote it as a

I believe the initial intent is for victi.ms to focus on mapping CVE
numbers to upstream packages, and then have optional plugins to check Maven
builds, Ruby gem dependencies and Python virtual environments for known
vulnerable versions.

For PyPI integration, I would expect to initially see us as just a consumer
of the data, displaying CVE information on PyPI when available, and likely
republishing it through the PyPI APIs.

Even that would be a big step forward from where we are now :)


> > Also as Nick said PyPI itself is mostly in a holding pattern while a 2.0
> > is being phased in, new features *are* possible but they are all weighed
> > against the amount of effort it will take (x2).
> Sure, I understand it now.
> cheers,
> --
> Dariusz Suchojad
> https://zato.io
> ESB, SOA and cloud integrations in Python
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130922/5227c524/attachment.html>

More information about the Distutils-SIG mailing list