Re: [python-security] Python library security announcement list

170 views
Skip to first unread message

Craig Younkins

unread,
Jul 22, 2012, 3:10:12 PM7/22/12
to python-...@googlegroups.com
Yeah, I agree that security announcements are a bit of a problem. When I read your post I envisioned a site where you could check boxes for the libraries you use. That way you don't get noise with your subscription. It could also have boxes for tons of libraries that aren't signed up for the site, which we can use to pressure the developers of that library.

Luke, would you personally find such a service more useful than the PythonSecurity.org wiki? (other people, please respond as well) I can use that to determine where I should spend my time.

Craig Younkins



On Sat, Jul 21, 2012 at 5:52 PM, Luke Plant <l.pla...@cantab.net> wrote:
Hi all,

Something I've been worrying about for a while is the need for a security announcement list for small Python libraries that might be used in a typical web site.

For example, there are *many* Django libraries/app out there, most of them far too small to have their own mailing lists (and very few would be subscribed if they had one), but certainly capable of needing a security announcement mechanism. I have written several libraries like this myself which could at least in theory have security problems, and I would have no effective way to announce that to my users.

One central mailing list for these kinds of apps, which I could post to as a library author, and subscribe to as a developer, might be a good solution to this.

Does such a thing already exist? If not, is this group interested in creating it?

It would probably be a good idea to make this applicable to any Python library that could be used in a web app situation, although my particular interest is Django apps - there will certainly be Python libraries that are not specific to Django/Zope/Pyramid etc but could be used in projects using those frameworks.

I guess some might say this list could be used, but I really don't think that would be appropriate. What I think we need is a list that is *solely* for security announcements, and not any further discussion. It should be something that all Python web developers would be subscribed too, and so would need fairly strict rules about who can post and what subjects etc. so that it remains low traffic.

It would also need to be separate from the announcements for Python itself, though I guess it might be a good idea to host it under a python.org address.

I think to be effective it would need buy in from at least other web frameworks, as something to promote as a standard mailing list that developers should be subscribed too.

It could possibly be linked to PyPI - which might encourage some people to actually publish their packages to PyPI. I'm wondering if PyPI or the packaging libraries already have some infrastructure to deal with this - if so I don't know what it is, and it isn't well known.

What do people think?


Luke Plant (Django committer)

Luke Plant

unread,
Jul 23, 2012, 6:28:53 AM7/23/12
to python-...@googlegroups.com
On 22/07/12 20:10, Craig Younkins wrote:
> Yeah, I agree that security announcements are a bit of a problem.
> When I read your post I envisioned a site where you could check boxes
> for the libraries you use. That way you don't get noise with your
> subscription. It could also have boxes for tons of libraries that
> aren't signed up for the site, which we can use to pressure the
> developers of that library.
>
> Luke, would you personally find such a service more useful than the
> PythonSecurity.org wiki? (other people, please respond as well) I
> can use that to determine where I should spend my time.


I personally would be happy as long as the service 'pushed' the
information to me on a system I already use very regularly, showing me
what is new, and in a way that I can control exactly when I look at it.
So for me:

- email is fine, since I already use email daily

- RSS/Atom is fine, since I already have a feed reader

- SMS would be too intrusive/interruptive

- a web page that I have to remember to visit, and mentally keep
track of what is new and what I saw last time, wouldn't
be of much use to me.

I would prefer email out of these options.

I too had imagined a site where you could subscribe to specific
packages. The problem is that I would have to remember to keep my
subscriptions updated every time I added a new dependency to any
project. Psychologically, at the point where I'm adding packages, I
don't want to stop and deal with that kind of admin - I want to get on
and code - but if I don't do it then, I'll forget.

In fact, there are many cases where I add a dependency, or at least
download it and try it, then decide against it, or later abandon the
project. All these possibilities mean that for me at least, my
subscriptions would get out of date easilt, and I'm much more likely to
end up getting the security announcements I need if I'm just subscribed
to everything.

A specific subscription service would also increases the complexity of
the system from essentially just a mailing list and someone
moderator/managing who can post to it, to a significantly bigger system
that would require maintenance. IMO, it would be better to wait until
the traffic on such a list is a genuine problem before adding ways of
automatically filtering it out per user.

There is another benefit of getting 'irrelevant' security announcements
- it could raise the profile of certain security problems that I may
have forgotten about as a library/web site developer. If I see "package
foobar was not correctly sanitising file names for uploads, allowing
dangerous extensions like .php to be placed on the server", then I might
realise that my project does the same, although I wasn't using foobar.

I do agree that we would need a way to publicise this so library
developers feel that they ought to be on it. If it gains support here,
we could ask the other major frameworks (Zope, Turbogears etc) what they
thought, and if they have any mechanism in place.

Regards,

Luke


--
"Pretension: The downside of being better than everyone else is
that people tend to assume you're pretentious." (despair.com)

Luke Plant || http://lukeplant.me.uk/

Luke Plant

unread,
Jul 23, 2012, 6:53:54 AM7/23/12
to python-...@googlegroups.com
I should have put in my first post: we should definitely be looking to
coordinate with CVE for something like this:

http://cve.mitre.org/index.html

CVE itself is probably too scary for most Python developers to want to
use directly, and it's output will cover a huge number number of things
that are irrelevant to most Python developers. What I'm essentially
proposing is a CVE compatible service - a middleman that does filtering
for subscribers, and a friendly interface for announcers. Whoever runs
this service would need to know how to contact CVE etc, but your average
Python library developers shouldn't need to know this stuff.

Luke

On 22/07/12 20:10, Craig Younkins wrote:
> python.org <http://python.org> address.
>
> I think to be effective it would need buy in from at least other web
> frameworks, as something to promote as a standard mailing list that
> developers should be subscribed too.
>
> It could possibly be linked to PyPI - which might encourage some
> people to actually publish their packages to PyPI. I'm wondering if
> PyPI or the packaging libraries already have some infrastructure to
> deal with this - if so I don't know what it is, and it isn't well known.
>
> What do people think?
>
>
> Luke Plant (Django committer)
>
>


Grant Murphy

unread,
Jul 23, 2012, 9:12:51 PM7/23/12
to python-...@googlegroups.com
Hey, 

Thought I'd share a couple of existing RSS type sources that could be leveraged and utilized for this type of thing. These are general resources that you would need to filter for Python specific things so not sure how useful it will be. 

This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.

The open source vulnerability database also has a rest API and search capabilities. 

A regular announcement service could be built off of these resources but it would require every small python library project to follow responsible vulnerability disclosure practices and utilizes a service such as http://www.ocert.org/ which I'm guessing currently doesn't happen. 

Cheers, 
Grant. 

On Tue, Jul 24, 2012 at 4:50 AM, Cezar Jenkins <empero...@gmail.com> wrote:
I prefer a mailing list or something with an RSS feed. That said, and forgive my naivety, but it seems like there is an issue of packaging.

In the long run though. I would like a way to just have pip or whatever update only security releases. Or course, there isn't a way to mark a release on PyPI as a security release, so there's no way for pip to pick that up.

On Saturday, July 21, 2012 4:52:39 PM UTC-5, Luke Plant wrote:
Hi all,

Something I've been worrying about for a while is the need for a security announcement list for small Python libraries that might be used in a typical web site.

For example, there are *many* Django libraries/app out there, most of them far too small to have their own mailing lists (and very few would be subscribed if they had one), but certainly capable of needing a security announcement mechanism. I have written several libraries like this myself which could at least in theory have security problems, and I would have no effective way to announce that to my users.

One central mailing list for these kinds of apps, which I could post to as a library author, and subscribe to as a developer, might be a good solution to this.

Does such a thing already exist? If not, is this group interested in creating it?

It would probably be a good idea to make this applicable to any Python library that could be used in a web app situation, although my particular interest is Django apps - there will certainly be Python libraries that are not specific to Django/Zope/Pyramid etc but could be used in projects using those frameworks.

I guess some might say this list could be used, but I really don't think that would be appropriate. What I think we need is a list that is *solely* for security announcements, and not any further discussion. It should be something that all Python web developers would be subscribed too, and so would need fairly strict rules about who can post and what subjects etc. so that it remains low traffic.

It would also need to be separate from the announcements for Python itself, though I guess it might be a good idea to host it under a python.org address.
Reply all
Reply to author
Forward
0 new messages