[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Martijn Faassen faassen at startifact.com
Sat Feb 4 21:12:29 CET 2012

On 02/01/2012 01:40 AM, Terry Reedy wrote:
> On 1/31/2012 6:43 PM, Donald Stufft wrote:
>> I don't think anyone is arguing that it's not occasionally useful. The
>> question to answer is the occasional usefulness worth the risks that
>> come with it. In my opinion the small utility (being able to correct a
>> borked packaging job) is not worth the risks to both my applications
>> stability, and the security of my entire system.
> The question is whether, on each issue, PyPI should be optimized for
> authors (who provide their modules for free) or for users. Both choices
> are defensible. However, if all choices are made in favor of users,
> there will very likely be fewer things uploaded or even listed, which is
> not favorable for users.

I don't think it's a simple dichotomy. If the authors follow certain 
best practices they might retain more users, say. And if system is great 
for users and has lots of them, that motivates authors to work with it.



More information about the Catalog-SIG mailing list