Remove Rope entirely due to security issues #1449
Comments
|
I never really used it so I am not opposed to removing it. |
|
When was the CVE made public? Some time in 2014? It was patched |
|
From the CVE page:
Thanks for noting Rope patched the problem. Apparently, upgrading Rope to a newer version fixes Github nagging about it. But Rope for Python3 has not been updated in ages, and most likely suffers from the same issue? |
Oh my...many (most?) users were unpatched for four years. It's also very strange that there was such a huge lag between the RedHat-identification of the issue and the CVE... https://bugzilla.redhat.com/show_bug.cgi?id=1116485
Sorry, I don't know if the Python3 variant was fixed. In principle I believe an upstream that leaves a critical remote vulnerability that doesn't require a user-initiated trigger unpatched for four years should be dropped... |
|
@galaunay whatever happened to this issue? I was surprised to learn that Rope was still part of Elpy when a Debian user (who submits patches, so maybe developer!) submitted this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940660 @jorgenschaefer wrote "I can not in good conscience recommend to use rope at all." at #1518 (comment), so it seems like the only thing delaying its release is the loss of code refactoring functionality. Sadly Jedi does not yet provide a solution from what I've read, but here's what looks like a promising alternative: https://github.com/facebookincubator/Bowler |
|
I barely use refactoring in Elpy, so I don't know how bad it is. I just didn't wanted to remove rope without something to replace it. |
The Rope library is barely maintained and now has security issues:
https://nvd.nist.gov/vuln/detail/CVE-2014-3539
Elpy already only uses Rope minimally for refactoring these days, but in light of the lack of maintenance, it might be a good idea to get rid of it entirely?
The text was updated successfully, but these errors were encountered: