<div>
<br>
</div>
<div></div>
<p style="color: #A0A0A8;">On Wednesday, February 1, 2012 at 10:18 AM, Antoine Pitrou wrote:</p>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div><div>Donald Stufft <donald.stufft <at> <a href="http://gmail.com">gmail.com</a>> writes:</div><blockquote type="cite"><div><div>I don't even understand why people are having this discussion. PyPI is not a</div><div>packaging *authority*. It's not Debian or Fedora or anything like that. It's</div><div>just a place for people to publish files and metadata. You can't trust it any</div><div>more than you can trust the uploaders themselves.</div><div><br></div><div>Semantics arguments are boring and tired.</div></div></blockquote><div><br></div><div>Just because you don't understand them doesn't make them irrelevant.</div><div>PyPI is *not* secure. Any maintainer can upload whatever (s)he wants. You are</div><div>asking for a fix that won't do any good for the general problem.</div></div></div></span></blockquote><div>No, them being irrelevant makes them irrelevant. </div><blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;"><span><div><div><div><br></div><blockquote type="cite"><div><div>People depend on PyPI and the packages installed there. They depend on the</div><div>ability to pin to a specific tested release of libraries and they should be</div><div>able to depend on the fact that if they ask for version 1.1 of library XYZ</div><div>they will always get the exact same package.</div></div></blockquote><div><br></div><div>Are you sure you will get the "exact same package"? What if the Linux version</div><div>has different contents from the Windows version? Or the py-2.6 version was not</div><div>built properly (while the py-2.7 version was)?</div><div>Perhaps there was originally only a source release, and the attacker added some</div><div>download links for malicious binary builds?</div><div><br></div><blockquote type="cite"><div><div>What if <a href="http://python.org">python.org</a> decided to replace the download links for Python 2.7.2</div><div>with a new version of Python 2.7.2 with new bugs fixed, or maybe a typo?</div></div></blockquote><div><br></div><div>What if? That may be a good reason to stop trusting <a href="http://python.org">python.org</a>.</div><div>Similarly, if a maintainer of a 3rd-party package uploads a significantly</div><div>different file for a given release, you should perhaps stop trusting them too.</div><div>But *you* must make that decision. You can't ask an automated software system to</div><div>solve trust issues for you.</div><div><br></div><blockquote type="cite"><div><div>What if those "harmless" fixes broke my software because I was depending on</div><div>that behavior and now my software just stops working.</div></div></blockquote><div><br></div><div>What if? The right attitude is certainly not to complain to PyPI. Instead,</div><div>complain to the maintainer.</div><div><br></div><div>Regards</div><div><br></div><div>Antoine.</div><div><br></div><div><br></div><div>_______________________________________________</div><div>Catalog-SIG mailing list</div><div><a href="mailto:Catalog-SIG@python.org">Catalog-SIG@python.org</a></div><div><a href="http://mail.python.org/mailman/listinfo/catalog-sig">http://mail.python.org/mailman/listinfo/catalog-sig</a></div></div></div></span>
</blockquote>
<div>
<br>
</div>