[Catalog-sig] Proposal: close the PyPI file-replacement loophole

Chris Withers chris at simplistix.co.uk
Tue Jan 31 07:10:00 CET 2012

On 31/01/2012 05:26, Donald Stufft wrote:
> The argument that bumping the release number is hard is an argument that
> your process should include testing the package before releasing it, not
> that it should open up anyone using PyPI to install packages for
> potential damaging security issues on top of the possible random and
> undefined breakage that can happen for seemingly no reason.

Heh, Phil bumps his release numbers all the time, he just never bothers 
doing formal releases anymore ;-)

It's always amusing watching the random selection of subversion 
revisions that come down when the latest setuptools is installed...


Simplistix - Content Management, Batch Processing & Python Consulting
             - http://www.simplistix.co.uk

More information about the Catalog-SIG mailing list