Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
How to report a security bug of pip?
See original GitHub issueDescription
Hello, I want to know how to report a security bug of pip. Thank you.
Expected behavior
None
pip version
22.0.4
Python version
3.10.4
OS
windows
How to Reproduce
None
Output
None
Code of Conduct
- I agree to follow the PSF Code of Conduct.
Issue Analytics
- State:
- Created a year ago
- Comments:10 (7 by maintainers)
Top Results From Across the Web
Document where security issues should be reported #11037
How to report a security bug of pip ? ... If you find bugs, need help, or want to talk to the developers,...
Read more >A Developer Guide to Reporting Vulnerabilities
This post explains how to report a vulnerability and why it's important to do so responsibly.
Read more >PyPI security pitfalls and steps towards a secure Python ...
PSF is improving Python supply chain security, but gaps still exist. ... Anyone can create a pull request and submit vulnerability updates.
Read more >safety - PyPI
Safety checks Python dependencies for known security vulnerabilities and suggests the proper ... REPORT Safety v2.0.0 is scanning for Vulnerabilities.
Read more >Towards a `pip audit` subcommand for vulnerability analysis ...
Background As part of my day job on Google's open-source security team, ... given that pip-audit only reports on known vulnerabilities that ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
From previous discussion security@python.org is the one to use, and I’m surprised it rejected it (first time I’ve heard that happened). I don’t think there’s another dedicated mailing list for this, the closest alternative would be to find maintainers’ emails on GitHub and email privately.
(I’m going to raise this issue in the Packaging Summit next month at PyCon)
I don’t see any reports from OP on security@python.org. Could you forward the email that you sent to security@ to me?