-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove Rope entirely due to security issues #1449
Comments
I never really used it so I am not opposed to removing it. |
When was the CVE made public? Some time in 2014? It was patched |
From the CVE page:
Thanks for noting Rope patched the problem. Apparently, upgrading Rope to a newer version fixes Github nagging about it. But Rope for Python3 has not been updated in ages, and most likely suffers from the same issue? |
Oh my...many (most?) users were unpatched for four years. It's also very strange that there was such a huge lag between the RedHat-identification of the issue and the CVE... https://bugzilla.redhat.com/show_bug.cgi?id=1116485
Sorry, I don't know if the Python3 variant was fixed. In principle I believe an upstream that leaves a critical remote vulnerability that doesn't require a user-initiated trigger unpatched for four years should be dropped... |
@galaunay whatever happened to this issue? I was surprised to learn that Rope was still part of Elpy when a Debian user (who submits patches, so maybe developer!) submitted this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940660 @jorgenschaefer wrote "I can not in good conscience recommend to use rope at all." at #1518 (comment), so it seems like the only thing delaying its release is the loss of code refactoring functionality. Sadly Jedi does not yet provide a solution from what I've read, but here's what looks like a promising alternative: https://github.com/facebookincubator/Bowler |
I barely use refactoring in Elpy, so I don't know how bad it is. I just didn't wanted to remove rope without something to replace it. |
The Rope library is barely maintained and now has security issues:
https://nvd.nist.gov/vuln/detail/CVE-2014-3539
Elpy already only uses Rope minimally for refactoring these days, but in light of the lack of maintenance, it might be a good idea to get rid of it entirely?
The text was updated successfully, but these errors were encountered: