[Catalog-sig] Use user-specific site-packages by default?
Lennart Regebro
regebro at gmail.com
Tue Feb 5 16:07:53 CET 2013
On Tue, Feb 5, 2013 at 3:06 PM, Holger Krekel <holger.krekel at gmail.com> wrote:
> I wouldn't assume that maintainers are easily reachable. I've contacted at
> least three people of different (>1K downloads) packages which never
> responded.
We really can't do very much about abandoned packages.
> And of course, i didn't mean to imply that already installed packages would
> suddenly break. Rather that installation instructions like "use pip install
> X" will just fail with some dependency "Y" not getting installed. Or
> getting installed in some random lower version which might contain evil bugs
> (including security bugs). For exmaple, the referenced "lockfile" project
> has a "0.2" release on pypi, but is currently at 0.9.
There is no way around that problem, except other people than the
maintainers uploading the software to PyPI. That's certainly an
option, and I have no good argument against it, but I don't like it.
(Obviously it can only be done for software marked with relevant licenses).
> In the end, however, none of this prevents MITM attacks between a downloader
> and pypi.python.org.
Sure, and that's another problem, and the low-hanging fruit there is
using https.
> If a signature is available (also at a download_url site), then we can exclude undetected
> tampering.
If they can change the file at the download_url site, then they surely
can change the signature?
//Lennart
More information about the Catalog-SIG
mailing list