[Catalog-sig] Use user-specific site-packages by default?
Donald Stufft
donald.stufft at gmail.com
Tue Feb 5 17:03:09 CET 2013
On Tuesday, February 5, 2013 at 10:41 AM, holger krekel wrote:
> MITM attacking any of the many world-wide pypi/easy_install downloads
> from external sites is much easier than tampering a few one-time
> downloads (verified against each other) for pypi.python.org (http://pypi.python.org)'s
> serving purposes. By contrast, changing client-side tools and
> defaults is going to take much longer and will not reach everybody.
>
> IOW, i believe that improving the serving side good low hanging
> fruit.
>
>
Besides the issues with validating that the package We are mirroring
is the authentic one there's also a legal issue. We don't know for sure
that we have the legal rights to redistribute those files. When you upload
a file to PyPI you grant the PSF a license to do that, no upload from the
author = no license. IANAL but i think i'm correct on that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/57b31547/attachment-0001.html>
More information about the Catalog-SIG
mailing list