[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Antoine Pitrou solipsis at pitrou.net
Wed Feb 1 15:29:11 CET 2012

Yuval Greenfield <ubershmekel <at> gmail.com> writes:
> Obviously this isn't the only problem if the account of an SQLAlchemy
> maintainer is compromised - other threats can manifest as well.

So, why you think PyPI has to have protections against the hacking of
maintainers' accounts is beyond me. That's a completely unreasonable

Besides, being able to delete a release is mandatory (imagine you have uploaded
confidential files by mistake).

I don't even understand why people are having this discussion. PyPI is not a
packaging *authority*. It's not Debian or Fedora or anything like that. It's
just a place for people to publish files and metadata. You can't trust it any
more than you can trust the uploaders themselves.



More information about the Catalog-SIG mailing list