[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Yuval Greenfield ubershmekel at gmail.com
Mon Jan 30 11:46:26 CET 2012


On Mon, Jan 30, 2012 at 12:27 PM, M.-A. Lemburg <mal at egenix.com> wrote:

> Besides, we're not talking about a common case here, just an emergency
> exit that can be used if needed.
>
>
This rare "emergency" can be handled by emailing a pypi admin. It most
certainly isn't worth the very real and global security and reliability
risks.

Most cases won't email a pypi admin as it's just that easy to increment the
version by an 0.0.1 and the fact that it probably isn't an emergency to
begin with.

Yuval
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120130/ee529527/attachment.html>


More information about the Catalog-SIG mailing list