[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Thomas Lotze thomas at thomas-lotze.de
Mon Jan 30 07:26:46 CET 2012

Richard Jones wrote:

> I'm considering closing this loophole by retaining a record of the
> uploaded file (though not the contents) so that future uploads with the
> same name wouldn't be allowed. I understand that this is how the ruby gem
> archive handles deletion of files.

I'd even suggest disallowing to delete files in the first place and
retain them including their contents. I regularly see trouble arising from
files having been deleted from PyPI that are needed even after their
authors considered them obsolete. This may simply be due to version
pinning in some application deployment or similar.


More information about the Catalog-SIG mailing list