I'm just learning about Rye, and so far I am really impressed, so apologies in advance if I have missed this in the documentation.
Something that would be a pretty big deal for my team is automatically gatekeeping package installation. Installing secure packages should be a default, so my broad suggestion is to automate gatekeeping the installation of packages based on whether they have known security issues.
From a user's perspective it might look something like this:
$ rye add <badpackage>
The package <badpackage> has a security advisory on it, and has been blocked from installation. See <helpful_link> for more information. To override this safety mechanism, use the `-F` flag to force install the package. We do not recommend this in general.
This is not something I know a lot about, so I regret to say I don't have a lot of advice about implementation. Security is not my specialty. I'm also only a baby rustacean so my ability to contribute to the Rust part is pretty limited right now (e.g. See A Rust Implementation of a Simple Car DES for an example).
But here's a few things to look into (for what its worth):
I'm just learning about Rye, and so far I am really impressed, so apologies in advance if I have missed this in the documentation.
Something that would be a pretty big deal for my team is automatically gatekeeping package installation. Installing secure packages should be a default, so my broad suggestion is to automate gatekeeping the installation of packages based on whether they have known security issues.
From a user's perspective it might look something like this:
This is not something I know a lot about, so I regret to say I don't have a lot of advice about implementation. Security is not my specialty. I'm also only a baby rustacean so my ability to contribute to the Rust part is pretty limited right now (e.g. See A Rust Implementation of a Simple Car DES for an example).
But here's a few things to look into (for what its worth):
pip-audit
uses the Python packaging advisory database. Maybe integration withpip-audit
is possible? Or more directly accessing the advisory database?I'd be happy to chat about this more. It isn't fully clarified idea, but I am happy to iterate and be kept in the loop for feedback.