[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Donald Stufft
donald.stufft at gmail.com
Mon Feb 25 01:31:01 CET 2013
On Sunday, February 24, 2013 at 7:15 PM, Richard Jones wrote:
> On 23 February 2013 10:47, Giovanni Bajo <rasky at develer.com (mailto:rasky at develer.com)> wrote:
> > Uh-uh, never known this until today. Then this is, by itself, a possible
> > security hole. I would like to see this fixed somehow (either removing the
> > feature, and making sure installation tools match the web ui experience).
> >
>
>
> Package owners need to be able to promote the current version(s) of
> their package and hide old, unsupported versions. Those older versions
> need to be online for version-locked installations to work.
>
> Donald's crate UI might be appropriate for PyPI. Not sure. The
> handling of old packages is a delicate issue - if we start exposing
> hidden releases then some package maintainers might just delete the
> old packages. And then I'd have a whole other set of people yelling at
> me :-)
>
>
No idea if it would be or not, On Crate there is no deleting anything (unless
you delete the entire project). Crate maps "Delete" on PyPI to "yank".
In the simple API:
- A yanked release is only available if you're pinned exactly to that release
In the Web UI:
- A yanked release is displayed crossed out with a prominent warning and
exists mainly as a record that the release used to exist.
Crate has no other concept of hiding a release.
>
>
> Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130224/6da3ac19/attachment.html>
More information about the Catalog-SIG
mailing list