Ask HN: Would you pay for a secure PyPI?
Imagine a PyPI mirror, that has placeholder packages, duplicates and general typosquatter junk removed.
Where every package has gone through a basic semi-manual audit for license compliance, ownership of upstream code, correspondence between upstream and packaged release content etc. The due dilligence anyone should do, before taking on a new external dependency, but very few do in practice (especially on third- or fourth-hand dependencies).
Would you or your organization pay to use a service like this?
0 comments
[ 3.4 ms ] story [ 7.9 ms ] threadNo comments yet.