[Catalog-sig] Proposal: close the PyPI file-replacement loophole
chris at simplistix.co.uk
Tue Jan 31 07:10:00 CET 2012
On 31/01/2012 05:26, Donald Stufft wrote:
> The argument that bumping the release number is hard is an argument that
> your process should include testing the package before releasing it, not
> that it should open up anyone using PyPI to install packages for
> potential damaging security issues on top of the possible random and
> undefined breakage that can happen for seemingly no reason.
Heh, Phil bumps his release numbers all the time, he just never bothers
doing formal releases anymore ;-)
It's always amusing watching the random selection of subversion
revisions that come down when the latest setuptools is installed...
Simplistix - Content Management, Batch Processing & Python Consulting
More information about the Catalog-SIG