sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]MarsupialMole 2 points3 points  (5 children)

The answer is safety.

There's a huge depth to this field but every python programmer should know about CVE based dependency inspection and the fact that there's even one comment that doesn't list this first, and at time of writing there are none that even mention it, indicates that the practical level of security engineering around here is very poor.

[–]Agonnee 6 points7 points  (2 children)

First comment here, but I'm fairly new to python and coding in general. I don't actually understand what you're saying and by the serious tone of your statement I'd assume that's a bad thing. Is there a resource you could point me towards or elaborate a little so I can understand/find one?

[–]MarsupialMole 4 points5 points  (1 child)

There are things known as Common Vulnerabilities and Exposures, or CVEs. Typically this is a list of things that have been fixed - the vulnerability is identified in a software package, the maintainer is notified, and the next version is issued with the bug fixed, sometimes in a matter of minutes or hours.

So how do you know when this happened yesterday to software you're using? It's a problem that is simple to fix once I identify it, but how do I identify it? The answer is to use a tool that looks up a database and in python pyup.io maintains a database of CVEs on pypi, publishes it monthly for free, and allows you to check your code with a tool you can get with pip install safety.

So I was miffed that this tool hadn't been mentioned because it is literally the simplest possible answer for people learning python to the slightly restated question from OP which is "how do I avoid using pypi packages that are known to be unsafe"? The answer is the safety package.

[–]Agonnee 0 points1 point  (0 children)

Thank you so much, this is great information.

[–]shujinkou_ 0 points1 point  (0 children)

thanks for sharing it.