alt Hacker NewsIt should not let people download unscanned dependencies without a warning and asking the user to override and use a potentially insecure package. If such security bug is critical enough to need to bypass this time (spoiler: realistically it is not actually that bad for a security fix to be delayed) they can work with the pypi security team to do a quicker manual review of the change.
Replies
simonw • yesterday at 9:24 PM
What happens then if the security scanners say something is safe and it turns out not to be?
I don't think PyPI should be in the business of saying if a piece of software is safe to install or not.
➕ show 1 reply
sadly I still worry about that. An install fails once, you you hard code the --force flag in all your CI/CD jobs and we are back in the same place again. I am not sure what the answer is, though problems...