[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Terry Reedy tjreedy at udel.edu
Wed Feb 1 01:40:08 CET 2012

On 1/31/2012 6:43 PM, Donald Stufft wrote:
> I don't think anyone is arguing that it's not occasionally useful. The
> question to answer is the occasional usefulness worth the risks that
> come with it. In my opinion the small utility (being able to correct a
> borked packaging job) is not worth the risks to both my applications
> stability, and the security of my entire system.

The question is whether, on each issue, PyPI should be optimized for 
authors (who provide their modules for free) or for users. Both choices 
are defensible. However, if all choices are made in favor of users, 
there will very likely be fewer things uploaded or even listed, which is 
not favorable for users.

It is hard to take your security concerns too seriously when you 
consistently ignore security suggestions. Prohibiting deletion or 
replacement by authors will give you no protection against the site 
being compromised by other means, whereas the suggestions you ignore would.

Terry Jan Reedy

More information about the Catalog-SIG mailing list