[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

M.-A. Lemburg mal at egenix.com
Thu Jan 21 12:51:44 CET 2010

Tarek Ziadé wrote:
> On Thu, Jan 21, 2010 at 11:59 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>> "Martin v. Löwis" wrote:
>>>> Sure, the PEP can be used as basis for the decision process, but
>>>> someone still has to make the decision to add a mirror or not
>>>> and these people should be appointed to by the PSF - much like we
>>>> have an infrastructure committee to see after the python.org site.
>>>> The situation is a lot like with the Python trademarks:
>>>> The good guys always come and ask for permission. The bad guys
>>>> don't.
>>> With PEP 381, the bad guys won't get any attention. You can already
>>> run as many public mirrors of PyPI as you want, but nobody will notice.
>>> To become an official mirror, you have to ask for permission already;
>>> see the PEP.
>>>> In order to go after them we need a clear set of
>>>> rules for setting up and running a PyPI mirror and disallowing
>>>> setups that don't follow these rules.
>>> See the PEP.
>> Like I said: the PEP can be used to document the technical requirements
>> of being accepted as official mirror, but it doesn't cover any
>> of the legal requirements the PSF will need to put in place in
>> order to prevent unofficial mirrors which use the content to
>> e.g. increase their page rank, add advertisement and other
>> drive-by revenue, misrepresent authorship, add malware to popular
>> packages, etc.
> As Martin mentioned yesterday, the latter can't happen : see
> http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html

I'm not thinking of sites that make the data available to automated
tools like pip which could of course check signatures, etc.

The problem gets real when putting the data up on the web for
users to download via a browser. If they then install directly from
the file without checking signatures, they can easily be tricked
into executing malware - and that would put the original author
of such a package into a pretty bad light.

In any case, that was just a list of examples.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jan 21 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list