[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Donald Stufft donald.stufft at gmail.com
Tue Jan 31 06:26:09 CET 2012


The argument that bumping the release number is hard is an argument that your process should include testing the package before releasing it, not that it should open up anyone using PyPI to install packages for potential damaging security issues on top of the possible random and undefined breakage that can happen for seemingly no reason. 


On Monday, January 30, 2012 at 8:37 PM, PJ Eby wrote:

> On Mon, Jan 30, 2012 at 4:26 AM, Donald Stufft <donald.stufft at gmail.com (mailto:donald.stufft at gmail.com)> wrote:
> > On Monday, January 30, 2012 at 4:23 AM, M.-A. Lemburg wrote:
> > > Please leave the existing logic in place.
> > > 
> > > 
> > > 
> > 
> > 
> > And version numbers are a scarce resource?
> > 
> 
> 
> No, release managers are.  ;-) 
> 
> Or more precisely, release management *time* is a scarce resource, and changing the version number in setup.py is far from the only thing you have to do to release a new version of a package. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20120131/f21a2536/attachment.html>


More information about the Catalog-SIG mailing list