[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Terry Reedy tjreedy at udel.edu
Wed Feb 1 01:46:53 CET 2012

1. Record and check md5 hash on all downloads.
2. Redistribute files yourself (if license allows).

Ignore in sense of not respond why not adequate alternative to your request.

It is confusing.
Please do not top post

On 1/31/2012 7:41 PM, Donald Stufft wrote:
> Which suggestions did I ignore?
> On Tuesday, January 31, 2012 at 7:40 PM, Terry Reedy wrote:
>> It is hard to take your security concerns too seriously when you
>> consistently ignore security suggestions. Prohibiting deletion or
>> replacement by authors will give you no protection against the site
>> being compromised by other means, whereas the suggestions you ignore
>> would.
Terry Jan Reedy

More information about the Catalog-SIG mailing list