Donald Stufft email@example.com wrote:
There is support for trusted externally hosted packages, you put the URL in PyPI and include a hash in the fragment like so:
That is exactly the mode I was using until today. This mode produced the subject's warning message.
Today I've switched to manual install mode with manual sha256sum verification which is far safer than anything you get via pip right now.
 For the definition of safe that PyPI/pip operate under, which is that the author of a package is assumed to be trusted by the person electing to download their package.
No, there are other holes, which you have conceded in your previous mail.
I don't think the warning is FUD, and it doesn't mention anything security related at all. The exact text of the warning is in the subject of the email here:
cdecimal an externally hosted file and may be unreliable
Which is true as far as I can tell, it is externally hosted, and it may be unreliable. If there is a better wording for that I?m happy to have it and will gladly commit it myself to pip.
Do you honestly not see a difference between the cited warning and the intended warning "the server's availability may be unreliable"?
Even the latter is FUD or a truism (it applies to any server).
The real question is: Why is there a warning if the person running pip has explicitly allowed external packages?