Standardise PyPI ecosystem reporting of Python runtime applicability

[andrewpollock]

pypa/pip-audit#949 seemed like the wrong place to be having this conversation, so let's start again over here...

/CC @jenstroeger since you filed pypa/pip-audit#949

/CC @keerthanap8898 who is the protagonist, I'm just support crew 😃

/CC @woodruffw FYI

In pypa/pip-audit#949 (comment):

There's the ecosystem_specific field, but that field requires OSV report creators to agree on a representation + actually use it.

This is a/the place to start trying to get some agreement on a standard for how the PyPI ecosystem will report on the Python runtime for vulnerabilities in the OSV format. They key stakeholders are going to be the OSV home databases that publish OSV records for the PyPI ecosystem:

• Python Packaging Advisory Database
• GitHub Advisory Database
• OpenSSF Malicious Packages

OSV.dev doesn't need to validate this field and the data can be passed through unmodified to downstream consumers of it.

As one of the OSV schema maintainers, if necessary and helpful, we can look to specify something within the schema documentation, but I really don't think we're the right people to be telling how the aforementioned data publishers should be utilising this field. That should be a conversation between the data publishers and the data consumers. OSV Schema folks (like me) can certainly broker and participate in that conversation... I'm thinking of this as an ecosystem-specific sub-schema specification.

@keerthanap8898 proposed something in pypa/pip-audit#949 (comment)

My thoughts are it may be better to follow the existing affected field so that downstream consumers don't have to invent a new way of parsing the data in this field...

(We've currently got a prefix (PSF) for the Python runtime, but no ecosystem defined for it, so if we do go down that path, that's an additional administrative consideration)

Someone needs to take point on reaching consensus amongst the PyPI ecosystem stakeholders on both the format and the utilisation of it.

[keerthanap8898]

I will update this comment soon with the next potential options. I'm just trying to execute this to visualize what it means to track & handle false negatives and false positives in terms of CVEs, OSVs, & other advisory formats.

So do not mind any noise from my end because I have v little idea how much noise these comments may make from a maintainer's perspective. But I'll be back soon. Didn't want to leave this thread hanging.

Ty @andrewpollock 🙆🏻‍♀️ for seeing potential in my research and enabling it I guess lol. But once again I owe you for that.

It's 2026 & we still don't organize efforts well enough and I'm hoping to formalize those steps so it's less chaotic for everyone.

-> That's my motivation here if anyone is curious.

But also, feel free to hit me up on LinkedIn or other social media if you want to follow up 💁🏻‍♀️

k brb. 😌

---

(also doubt: do thread owners get notified when commenters edit their comments? 🤔)

[woodruffw]

Thanks for coordinating @andrewpollock!

Yeah, having it standardized here makes sense to me, similarly to how this repo contains instructions (unfortunately AFAIK not used by anyone) for expressing reachability for vulnerable APIs.