[Catalog-sig] Proposal: close the PyPI file-replacement loophole
tjreedy at udel.edu
Wed Feb 1 01:40:08 CET 2012
On 1/31/2012 6:43 PM, Donald Stufft wrote:
> I don't think anyone is arguing that it's not occasionally useful. The
> question to answer is the occasional usefulness worth the risks that
> come with it. In my opinion the small utility (being able to correct a
> borked packaging job) is not worth the risks to both my applications
> stability, and the security of my entire system.
The question is whether, on each issue, PyPI should be optimized for
authors (who provide their modules for free) or for users. Both choices
are defensible. However, if all choices are made in favor of users,
there will very likely be fewer things uploaded or even listed, which is
not favorable for users.
It is hard to take your security concerns too seriously when you
consistently ignore security suggestions. Prohibiting deletion or
replacement by authors will give you no protection against the site
being compromised by other means, whereas the suggestions you ignore would.
Terry Jan Reedy
More information about the Catalog-SIG