8 Oct
2014
8 Oct
'14
1:32 p.m.
On 8 October 2014 20:06, holger krekel
Given that PyPI is a wiki and Linux Distros are a curated index, i insist it's dangerous to recommend to mix multiple indexes with pip if you don't know quite exactly what you are doing. Do you really disagree on this?
Hence this line in the PEP: End users wishing to limit what files they pull from which repository can simply use devpi to whitelist projects from PyPI or another repository. Anyone running a private PyPI mirror without disabling the use of upstream indexes entirely is already running their infrastructure in a dangerously insecure configuration. That has nothing to do with PEP 470. Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia