[Python-Dev] PEP 594: Removing dead batteries from the standard library (original) (raw)
Christian Heimes christian at python.org
Wed May 22 08:19:02 EDT 2019
- Previous message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Next message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 22/05/2019 06.59, Stephen J. Turnbull wrote:
Christian Heimes writes:
> It's all open source. It's up to the Python community to adopt > packages and provide them on PyPI. > > Python core will not maintain and distribute the packages. I'll > merely provide a repository with packages to help kick-starting the > process. This looks to me like an opening to a special class of supply chain attacks. I realize that PyPI is not yet particularly robust to such attacks, and we have seen "similar name" attacks (malware uploaded under a name similar to a popular package). ISTM that this approach to implementing the PEP will enable "identical name" attacks. (By download count, stdlib packages are as popular as Python. :-)
I don't consider this an argument against my proposal, but an argument in favor of improving PyPI.
I propose a deal: If you get PEP 453 (ensurepip) revoked, ensurepip removed from the standard library, and the recommendation for the requests package on urllib.request replaced with a big, fat security warning, then I'll reconsider my proposal to recommend PyPI.:)
My PEP acts in good faith. As long as CPython's stdlib ships pip and embraces PyPI, I don't see any reason to distrust PyPI. Yes, PyPI is not Fort Knox. In my humble opinion it's more than secure enough for my proposal.
Christian
- Previous message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Next message (by thread): [Python-Dev] PEP 594: Removing dead batteries from the standard library
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]