Security Notification Systems for Python Packages

[philippeowagner]

Having the following scenario: We are open sourcing apps from time to time and maintaining them as well ;-). Our most popular Django app is django-hijack. Days back we had a little security vulnerability in hijack, nothing really problematic but it was an issue. We had no real plan how to communicate to all the users that runs the app it in production.... However, it's not just us – others have this problem too!

Fixing a security vulnerability is one thing, but communicating it is something different. Honestly we had no real tools for that, something like a mailing list for example. It feels wrong using mailing lists for this use-case anyway. How to organise them? One for all our apps, one for the GitHub organisation, one for each app/project we open source?

A great thing would be to automatically subscribe to the apps/packages I do "pip install", "subscribe" or download from the CheeseShop. In case an app has a serious security vulnerability I would be notified by my channel of choice linked to my PyPI account. Without talking about the technical details how this could be done, do you Donald et al. think this is a legit use-case that could be added to this platform and adds value for others?

I look forward for your feedback.

[nlhkabu]

@dstufft I have been talking to @philippeowagner about this by email. I personally think it is a great idea, so long as users are provided with enough control to manage their notifications, both when they install a package and later via Warehouse. 👍

[sephii]

I would be very interested by this feature. Also at the moment there's no way to tell whether a version of a package you're using has any known security vulnerability or not. The only information you can currently get is "am I running the latest version of this package?" and not "am I running a secure version of this package?".

This would also help security checks made by tools such as requires.io, which as far as I know rely on manual checking at the moment.

[sigmavirus24]

Along similar lines, perhaps some metadata along the lines of This release fixes CVE-201Y-ABCD. And the ability to search by CVE-ID?

[ewdurbin]

Could a feature be introduced into pip which blocks pip from installing a release marked as vulnerable on an opt-in basis?

Similar to the way --allow-external was introduced.

Explicitly declaring that vulnerable packages are installed would give a method for application developers to be quickly alerted... assuming sane CI environments.

Anecdotally... I have learned a bunch about the consistent progress made with setuptools and pip by adding python -m pip install -U setuptools pip to my Travis builds and waiting for a red build :)

[ewdurbin]

To clarify, I feel that the external hosting issue is a weaker security concern that fits in the same realm as "known bad" releases.

They are a kind of META-meta-data that are perfect candidates for mutable state

[apollo13]

Yes, we just discussed this at "django under the hood" and it would be great to have something in that area!