[Catalog-sig] PEP 345 Update
Tarek Ziadé
ziade.tarek at gmail.com
Sat Aug 14 02:48:24 CEST 2010
2010/8/14 Alexis Métaireau <ametaireau at gmail.com>:
> Hi P.J,
>
> Le 08/13/2010 10:20 PM, P.J. Eby a écrit :
>> Has anybody given any thought to actually managing the *uses* of
>> Obsoletes-Release and Conflict-Release?
>>
>> In particular, I'm wondering what installation tools are expected to
>> do with this information. Unless these fields are merely advisory in
>> nature, I can foresee some user-hostile applications of the fields,
>> e.g. by two forks of a package constantly marking each others'
>> packages as obsoleted, conflicting, etc.
> That's true, but if we choose to put our confiance in the packagers,
> then we couldnt do anything to avoid them doing things like that. Others
> packaging solutions have choosed to rely on trusted packagers only, and
> have a specific processus to handle the packaging.
>
> I hope this not needed for python, if we were having such issues, we
> could think of a solution at this time, I guess.
You mean a package audit done by a human before it's added at PyPI ?
PyPI is not a distribution, its a repository of packages for the community,
so that will never happen.
If you want to give your trust to just one single party, you need to
use a Python
distribution where each package is carefully audited and added, as you said.
Regards
Tarek
More information about the Catalog-SIG
mailing list