[Catalog-sig] Use user-specific site-packages by default?

M.-A. Lemburg mal at egenix.com
Tue Feb 5 15:05:01 CET 2013 

On 05.02.2013 14:18, Donald Stufft wrote:
> On Tuesday, February 5, 2013 at 8:13 AM, Lennart Regebro wrote:
>> That will mean that a man in the middle-attack might poison PyPI's
>> cache. I don't think that's a feasible path forward.
>>
>> Packages does not need to be "cached", as they are not supposed to
>> change. If you change the package you should really release a new
>> version. (Unless you made a mistake and discovered it before anyone
>> actually downloaded it). So what you are proposing is really that PyPI
>> downloads the package from an untrusted source, if the maintainer
>> doesn't upload it. I prefer that we demand that the maintainer upload
>> it.
>>
>>
> 
> I agree with this. External packages are inherently less able to be validated
> than something uploaded to PyPI. We should not disguise them or make
> them appear to be something they aren't.

Hmm, packages aren't validated on PyPI either. You'd need an appstore
team for that :-)

Note that file storage itself can be insecure without any problem.
You only have to make sure that the file's contents of the downloaded
version matches the one that the author registered with PyPI (and, of
course, you have to make that registration process secure), regardless
of where you downloaded it from.

IMO, PyPI would scale a lot better if it were to only manage the
meta data and security aspect of the package distribution and not
also deal with distribution of the files themselves, but yeah, that's
a different discussion ;-)

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Feb 05 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list