[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Terry Reedy tjreedy at udel.edu
Mon Jan 30 22:37:33 CET 2012

On 1/30/2012 5:27 AM, M.-A. Lemburg wrote:
> Donald Stufft wrote:

>> It puts the integrity of my (proverbial my) software in the hands
>> of a disparate group of authors who may or may not have the same
>> stringent testing that I do. Any python application that get's
>> installed from PyPI is at risk of mysteriously breaking, even with
>> a "known good" configuration. These bugs are often hard to track
>> down, and very confusing and difficult to determine why they are
>> occurring when they never did before.
> PyPI uploads get stored with a hash sum, so any such changes can
> easily be recognized on the client side, if there's a need.

Or redistribute the exact files themselves, as some apps do with cpython.

Terry Jan Reedy

More information about the Catalog-SIG mailing list