[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Richard Jones
richard at python.org
Mon Feb 25 01:15:51 CET 2013
On 23 February 2013 10:47, Giovanni Bajo <rasky at develer.com> wrote:
> Uh-uh, never known this until today. Then this is, by itself, a possible
> security hole. I would like to see this fixed somehow (either removing the
> feature, and making sure installation tools match the web ui experience).
Package owners need to be able to promote the current version(s) of
their package and hide old, unsupported versions. Those older versions
need to be online for version-locked installations to work.
Donald's crate UI might be appropriate for PyPI. Not sure. The
handling of old packages is a delicate issue - if we start exposing
hidden releases then some package maintainers might just delete the
old packages. And then I'd have a whole other set of people yelling at
me :-)
Richard
More information about the Catalog-SIG
mailing list