You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm just learning about Rye, and so far I am really impressed, so apologies in advance if I have missed this in the documentation.
Something that would be a pretty big deal for my team is automatically gatekeeping package installation. Installing secure packages should be a default, so my broad suggestion is to automate gatekeeping the installation of packages based on whether they have known security issues.
From a user's perspective it might look something like this:
$ rye add <badpackage>
The package <badpackage> has a security advisory on it, and has been blocked from installation. See <helpful_link>formore information. To override this safety mechanism, use the `-F` flag to force install the package. We do not recommend thisin general.
This is not something I know a lot about, so I regret to say I don't have a lot of advice about implementation. Security is not my specialty. I'm also only a baby rustacean so my ability to contribute to the Rust part is pretty limited right now (e.g. See A Rust Implementation of a Simple Car DES for an example).
But here's a few things to look into (for what its worth):
I'm just learning about Rye, and so far I am really impressed, so apologies in advance if I have missed this in the documentation.
Something that would be a pretty big deal for my team is automatically gatekeeping package installation. Installing secure packages should be a default, so my broad suggestion is to automate gatekeeping the installation of packages based on whether they have known security issues.
From a user's perspective it might look something like this:
This is not something I know a lot about, so I regret to say I don't have a lot of advice about implementation. Security is not my specialty. I'm also only a baby rustacean so my ability to contribute to the Rust part is pretty limited right now (e.g. See A Rust Implementation of a Simple Car DES for an example).
But here's a few things to look into (for what its worth):
pip-audit
uses the Python packaging advisory database. Maybe integration withpip-audit
is possible? Or more directly accessing the advisory database?I'd be happy to chat about this more. It isn't fully clarified idea, but I am happy to iterate and be kept in the loop for feedback.
The text was updated successfully, but these errors were encountered: