[Catalog-sig] Proposal: close the PyPI file-replacement loophole
ubershmekel at gmail.com
Wed Feb 1 16:34:20 CET 2012
On Wed, Feb 1, 2012 at 5:18 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> Donald Stufft <donald.stufft <at> gmail.com> writes:
> > I don't even understand why people are having this discussion. PyPI is
> not a
> > packaging *authority*. It's not Debian or Fedora or anything like that.
> > just a place for people to publish files and metadata. You can't trust
> it any
> > more than you can trust the uploaders themselves.
> > Semantics arguments are boring and tired.
> Just because you don't understand them doesn't make them irrelevant.
> PyPI is *not* secure. Any maintainer can upload whatever (s)he wants. You
> asking for a fix that won't do any good for the general problem.
With that attitude you must really hate bumping release versions.
Anyhow, it's a simple best practice that was the original design of the
system. As was mentioned, of course there are more vulnerabilities.
Improving the system one part at a time would still be a good idea.
This feature would be a big win in security and sanity for a very small
cost of convenience for very rare occasions and needs.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG