Looking at the trailofbits/pip-audit and pypa/advisory-database
documentation, it seems like the end goal is to have security
advisory information served from PyPI and reported to end users at
the time they’re trying to install things, but to also be able to
later re-audit those same environments for newly discovered
vulnerabilities. Having two separate codebases do the reporting
(one at install time, one after installation) could result in a lot
of code duplication or even more vendored libs in pip.
3 Likes