[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Terry Reedy
tjreedy at udel.edu
Wed Feb 1 01:46:53 CET 2012
1. Record and check md5 hash on all downloads.
2. Redistribute files yourself (if license allows).
Ignore in sense of not respond why not adequate alternative to your request.
It is confusing.
Please do not top post
On 1/31/2012 7:41 PM, Donald Stufft wrote:
> Which suggestions did I ignore?
>
> On Tuesday, January 31, 2012 at 7:40 PM, Terry Reedy wrote:
>> It is hard to take your security concerns too seriously when you
>> consistently ignore security suggestions. Prohibiting deletion or
>> replacement by authors will give you no protection against the site
>> being compromised by other means, whereas the suggestions you ignore
>> would.
--
Terry Jan Reedy
More information about the Catalog-SIG
mailing list