psf / fundable-packaging-improvements

Packaging improvements that could be funded
52 stars 19 forks source link

Security notifications for vulnerable packages #37

Open xmunoz opened 3 years ago

xmunoz commented 3 years ago

To keep PyPI's users secure, we want to give them an opt-in communication channel to hear about security vulnerabilities for the packages they use. Implementing this would also give us architectural support to warn or prevent pip users who try to install a PyPI package that's been found to be broken or malware. We need funding for user experience work, development, testing, infrastructure, potentially platform services (e.g., SMS), and community outreach.