[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Jim Fulton jim at zope.com
Sat Feb 4 22:01:04 CET 2012

On Sat, Feb 4, 2012 at 3:12 PM, Martijn Faassen <faassen at startifact.com> wrote:
> On 02/01/2012 01:40 AM, Terry Reedy wrote:
>> On 1/31/2012 6:43 PM, Donald Stufft wrote:
>>> I don't think anyone is arguing that it's not occasionally useful. The
>>> question to answer is the occasional usefulness worth the risks that
>>> come with it. In my opinion the small utility (being able to correct a
>>> borked packaging job) is not worth the risks to both my applications
>>> stability, and the security of my entire system.
>> The question is whether, on each issue, PyPI should be optimized for
>> authors (who provide their modules for free) or for users. Both choices
>> are defensible. However, if all choices are made in favor of users,
>> there will very likely be fewer things uploaded or even listed, which is
>> not favorable for users.
> I don't think it's a simple dichotomy. If the authors follow certain best
> practices they might retain more users, say. And if system is great for
> users and has lots of them, that motivates authors to work with it.

Well said. Thanks.


Jim Fulton

More information about the Catalog-SIG mailing list