[Python-Dev] PEP 594: Removing dead batteries from the standard library (original) (raw)
Steven D'Aprano steve at pearwood.info
Wed May 22 06:37:28 EDT 2019
- Previous message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Next message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, May 22, 2019 at 01:59:59PM +0900, Stephen J. Turnbull wrote:
This looks to me like an opening to a special class of supply chain attacks. [...]
One thing we could do that would require moderate effort would be to put them up on PyPI ourselves, and require that would-be maintainers be given a (light) vetting before handing over the keys. (Maybe just require that they be subscribers to the Dead Parrot SIG? :-)
Because black hat hackers don't know how to subscribe to a SIG? wink
I'm just gonna leave this here...
https://www.ietf.org/rfc/rfc3514.txt
Python is open source, anyone can fork any module from the std lib for any purposes. We can't stop that. But your earlier point about supply chain attacks is very valid. Modules we shift out of the stdlib become more vulnerable to supply chain attacks, because more people will have to download them, giving more opportunity for typo-squatter attacks.
-- Steven
- Previous message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Next message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]