On 17.11.2008 8:17 Uhr, Chris Withers wrote:
Andreas Jung wrote:
Out on interest, how does buildout handle password-protected indexes?
Unsupported - we trust our internal and external developers.
Okay, but surely that means you can only expose that packaging server to a very limited set of people? If you can upload and download without restriction, then at most you can only expose it to an intranet of machines that need packages (what do you do if they're on more than one site with no linking vpn?) and even for developers, I guess they must have to be attached to some vpn to upload packages? Still, how do you stop clients that should only be reading packages (which I'm guessing is the majority) from uploading rogue packages?
The scope of haufe.eggserver is basically for internal development and deployment only. So here security does not matter. Eggbasket obviously provides support for restricting uploads on a per package basis as PyPI does. However I did not get Eggbasket running. Andreas