The public docs should document #18781 (particularly after we remove it from preview).
Some key things we should document:
- We use OSV for malware reports, and users can configure their own API-compatible OSV service if they're hosting one.
- OSV in turn uses https://github.com/ossf/malicious-packages for
MAL advisories. MAL advisories are not propagated directly by PyPI, and are produced on timelines that aren't related directly to quarantine actions on PyPI.
- Malware checks are performed on locked resolutions, since installing from a lockfile doesn't re-access the index. For resolution itself, the equivalent behavior is controlled by PyPI's own quarantining abilities.
The public docs should document #18781 (particularly after we remove it from preview).
Some key things we should document:
MALadvisories.MALadvisories are not propagated directly by PyPI, and are produced on timelines that aren't related directly to quarantine actions on PyPI.