[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Yuval Greenfield
ubershmekel at gmail.com
Mon Jan 30 22:27:11 CET 2012
On Mon, Jan 30, 2012 at 10:07 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> A little off-topic, but I always find it strange that some users of PyPI
> appear to trust package authors with the software they put up on PyPI,
> but don't trust them when it comes to the release process.
> Very strange indeed...
>
>
I don't trust "package authors".
I do trust specific versions of specific packages that I've tested.
If I can't trust PyPI to always give me the exact same result for a
specific package-version then I can't use it.
IOW if a hacked maintainer account can modify existing releases - PyPI is a
very real attack vector into many existing systems.
Nothing strange at all,
Yuval
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120130/2d5cb66f/attachment-0001.html>
More information about the Catalog-SIG
mailing list