[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Donald Stufft donald.stufft at gmail.com
Wed Feb 1 01:41:32 CET 2012

Which suggestions did I ignore? 

On Tuesday, January 31, 2012 at 7:40 PM, Terry Reedy wrote:

> On 1/31/2012 6:43 PM, Donald Stufft wrote:
> > I don't think anyone is arguing that it's not occasionally useful. The
> > question to answer is the occasional usefulness worth the risks that
> > come with it. In my opinion the small utility (being able to correct a
> > borked packaging job) is not worth the risks to both my applications
> > stability, and the security of my entire system.
> > 
> The question is whether, on each issue, PyPI should be optimized for 
> authors (who provide their modules for free) or for users. Both choices 
> are defensible. However, if all choices are made in favor of users, 
> there will very likely be fewer things uploaded or even listed, which is 
> not favorable for users.
> It is hard to take your security concerns too seriously when you 
> consistently ignore security suggestions. Prohibiting deletion or 
> replacement by authors will give you no protection against the site 
> being compromised by other means, whereas the suggestions you ignore would.
> -- 
> Terry Jan Reedy
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120131/46a5fec5/attachment-0001.html>

More information about the Catalog-SIG mailing list