[Catalog-sig] Proposal: close the PyPI file-replacement loophole
Chris Withers
chris at simplistix.co.uk
Mon Jan 30 22:46:25 CET 2012
On 30/01/2012 21:27, Yuval Greenfield wrote:
> A little off-topic, but I always find it strange that some users of PyPI
> appear to trust package authors with the software they put up on PyPI,
> but don't trust them when it comes to the release process.
> Very strange indeed...
>
>
> I don't trust "package authors".
>
> I do trust specific versions of specific packages that I've tested.
>
> If I can't trust PyPI to always give me the exact same result for a
> specific package-version then I can't use it.
>
> IOW if a hacked maintainer account can modify existing releases - PyPI
> is a very real attack vector into many existing systems.
Tin foil hats all round ;-)
Chris
--
Simplistix - Content Management, Batch Processing & Python Consulting
- http://www.simplistix.co.uk
More information about the Catalog-SIG
mailing list