undefined | Better HN

0 pointsgautamdivgi7y ago0 comments

Where I work the solution was to use a proxy to pypi. Basically an internal pip repo (and docker, npm, maven, everything else...). All internal apps go through the internal repository that creates a local version of the package from pypi. That gives the security / compliance folks a way to block packages with security issues, etc. and at the same time provide the developers flexibility to get most of what is needed.

In a large company this gives the compliance folks a central place to blacklist packages - along with a trail of what systems have downloaded the package to target for upgrades.

0 comments

2 comments · 1 top-level

sametmax7y ago· 1 in thread

Many technical solutiins exist, but the problem is political or organisational.

gautamdivgiOP7y ago

Agree. At this point it was more a case of executives saying they wanted internal dev teams to use and contribute to open source and supporting orgs to come up with solutions on how that can be possible with a 0-touch approach. That’s what tipped the balance.

j / k navigate · click thread line to collapse