[Catalog-sig] Proposal: close the PyPI file-replacement loophole
"Martin v. Löwis"
martin at v.loewis.de
Mon Jan 30 09:04:05 CET 2012
>> -1. There are plenty of ways to check whether the file was modified if
>> you already have a copy of it. Users just need to accept that files may
>> change, and package authors need to accept that users may retain old
>> copies of a file even after they replaced it.
> I don't always have a copy of the file, I might only have a reference
> such as slumber==0.3.0.
The better. A responsible author, when replacing an existing file,
should make sure that it is reasonably compatible with the previous
copy of the file. E.g. the update may include corrected typos or include
files that the previous copy didn't include; the previous copy may have
actually not worked at all in some circumstances.
Now, it may be that the author does break your code by mistake when
replacing a file. You should then report that to the author, asking
him to restore the original file and be more careful in the future.
More information about the Catalog-SIG