[Catalog-sig] Proposal: close the PyPI file-replacement loophole

"Martin v. Löwis" martin at v.loewis.de
Mon Jan 30 22:36:32 CET 2012

Am 30.01.2012 21:07, schrieb M.-A. Lemburg:
> A little off-topic, but I always find it strange that some users of PyPI
> appear to trust package authors with the software they put up on PyPI,
> but don't trust them when it comes to the release process.
> Very strange indeed...

My feelings entirely. I'm also shocked at how many people readily use a
software whose version number is 0.3.0, and then get upset when they
find that 0.4.0 breaks the ABI, or that the author deletes 0.3.0 after
1.0 has been released.


More information about the Catalog-SIG mailing list