[Distutils] has_security_fixes flag in PyPI

Dariusz Suchojad dsuch at zato.io
Sat Sep 21 17:18:23 CEST 2013


On 09/21/2013 04:51 PM, Donald Stufft wrote:

> Any changes to PyPI would require the projects themselves to flag a
> security issue which won't always happen. A third party project allows a
> neutral party to handle this.

One thing I don't fully get is how victi.ms - or any third party -
collect information regarding the vulnerabilities?

I understand there would be two sources of information?

- public vulnerability databases
- data submitted by package maintainers themselves (this would have to
be routed to a third party somehow)

> Also as Nick said PyPI itself is mostly in a holding pattern while a 2.0
> is being phased in, new features *are* possible but they are all weighed
> against the amount of effort it will take (x2).

Sure, I understand it now.

cheers,

-- 
Dariusz Suchojad

https://zato.io
ESB, SOA and cloud integrations in Python


More information about the Distutils-SIG mailing list