On Wednesday, December 5, 2012 at 6:18 PM, Barry Warsaw wrote:

On Dec 05, 2012, at 06:07 PM, Donald Stufft wrote:

If you're installing B you've prescribed trust to that author. If you don't
trust the author then why are you installing (and then executing) code
they wrote.

What you installed Z, but B got installed because it was a dependency three
levels down?

Sure, you granted trust to Z, Z granted trust to Y, and Y granted trust to B. Like

in SSL certificates there was a chain of trust. If you don't trust Z then don't install

their package.

Very convenient to declare that one of the major use cases for
Obsoletes over Obsoleted-By is not valid because of your own
personal opinions. Like I said above, if you're installing a package
that someone has uploaded you've implicitly granted them trust. There
is far worse things that a bad Python citizen can do during, and after
and install that what is allowed by Obsoletes.

Well, basically never installing anything from PyPI except into a virtualenv
is probably a good recommendation (maybe even now).

A virtualenv only protects you from well behaved packages. There is no way

to prevent a package author from doing very nasty things to you if they wish.

Providing more power in the metadata doesn't make this situation better or

worse, it just makes more standard paths in the cases where you do need

to do it.

End systems often times do not have a singular organization controlling
every package in their system. The best example is Ubuntu and their PPA's.

Well, PPAs are awesome, but have known and well-publicized trust issues. I
wouldn't enable a PPA into my running system without really knowing who the
owner is and why I'm using their PPA. Or doing a lot of testing in a chroot
first, and probably pinning the package set to just the one(s) from the PPA I
care about.

Basically the same thing can be said about packages on PyPI. All the same

trust issues exist there. Simply installing a Python package is already granting

far more trust than Obsoletes requires since installing a package is executed

someone else's python code on your system. Even if you remove setup.py you're

still going to be executing their code on your system. If you do not trust the

author of the packages you are installing, you do not install their packages.