[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Yuval Greenfield ubershmekel at gmail.com
Mon Jan 30 22:27:11 CET 2012

On Mon, Jan 30, 2012 at 10:07 PM, M.-A. Lemburg <mal at egenix.com> wrote:

> A little off-topic, but I always find it strange that some users of PyPI
> appear to trust package authors with the software they put up on PyPI,
> but don't trust them when it comes to the release process.
> Very strange indeed...
I don't trust "package authors".

I do trust specific versions of specific packages that I've tested.

If I can't trust PyPI to always give me the exact same result for a
specific package-version then I can't use it.

IOW if a hacked maintainer account can modify existing releases - PyPI is a
very real attack vector into many existing systems.

Nothing strange at all,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120130/2d5cb66f/attachment-0001.html>

More information about the Catalog-SIG mailing list