[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site
jacob at jacobian.org
Tue Mar 12 16:42:28 CET 2013
On Tue, Mar 12, 2013 at 10:38 AM, PJ Eby <pje at telecommunity.com> wrote:
> I'll ask it again: why should *thousands* of projects be censored or
> made to change their release processes, because *you* can't be
> bothered to cache the distributions of the projects you depend on?
Because externally-hosted files are a security risk, one that most
users don't realize exists.
We can either fix this problem now, or we can wait until someone is
compromised using PyPI as a vector.
More information about the Catalog-SIG