[Catalog-sig] Proposal: close the PyPI file-replacement loophole
ubershmekel at gmail.com
Wed Feb 1 15:52:43 CET 2012
On Wed, Feb 1, 2012 at 4:29 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> Yuval Greenfield <ubershmekel <at> gmail.com> writes:
> > Obviously this isn't the only problem if the account of an SQLAlchemy
> > maintainer is compromised - other threats can manifest as well.
> So, why you think PyPI has to have protections against the hacking of
> maintainers' accounts is beyond me. That's a completely unreasonable
> Besides, being able to delete a release is mandatory (imagine you have
> confidential files by mistake).
The original proposal was "retaining a record of the uploaded file (though
not the contents) so that future uploads with the same name wouldn't be
It sounds like you would be happy with that proposal.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG